RSA enVision Architecture in Managed Security Service Provider Environments

This document covers the features and design considerations when deploying RSA
enVision Security Information and Event Management System in a MSSP (Managed
Security Service Provider) environment.

MSSP providers need to consider the SIEM coverage from the small customers with few
event sources to the very large customers with very many event sources and very many
EPS, and everything in between. We will look at this in terms of small, medium, and
large customers.

RSA enVision is an appliance-based solution. In a typical customer environment a

customer will have one or more appliances where a single appliance, the ES Model,
serves as a combined application server, data server, and collector server. For a medium
to large scale customer environment appliances are clustered in groups of 3 or more, the
LS Cluster models, where each appliance is dedicated to one of the three roles;
application server appliance, data server appliance, or collector appliance. The following
describes how these appliances are deployed in the MSSP environments.

There are basically two architectural models for deploying enVision in an MSSP
environment; centralized and decentralized. RSA enVision MSSP providers typically use
a decentralized model, a centralized model, and some MSSP providers use a combination
of both centralized and decentralized to meet the different needs of their customer base.

RSA enVision in Decentralized MSSP Model

The decentralized deployment model is the simplest and most straightforward

deployment of SIEM in the managed service environment. The decentralized model
entails installing standalone enVision appliance, ES or LS Cluster as needed based on
number and sizes of log sources. These enVision installations are then remotely managed
by MSSP service provider typically over secure VPN connection to the MSSP SOC
center where SOC Analyst resources can be leveraged over multiple customers.

These decentralized RSA enVision installations are then remotely managed by MSSP
service provider typically over secure VPN connection from the MSSP SOC center where
SOC Analyst resources can be leveraged over multiple customers.

The choice of using a decentralized model is often dictated by the customer’s need to
keep log data at their site. Some European countries require that security log data not pass
out of the country so if an MSSP is serving customers in multiple countries they might be
required to provide a decentralized offering for certain customers with such requirements.
Figure A.
MSSP Decentralized

Intern Switch
et
Customer NAS
C Storage
Customer
Customer
A
ES-Appliance B
Up to 10k EPS ES-Appliance LS
Up to 5k EPS Cluster
10k+ EPS

Che Win
Micr
ckpo dow CIS PCI PCI
osof
int s ISS CO Devi Devi
t
Fire Serv PIX ce ce
ISA
wall ers

Check Windo Check Windo

CISC Micro PCI PCI CISC Micro PCI PCI
point ws point ws
ISS O soft Devic Devic ISS O soft Devic Devic
Firewa Server Firewa Server
PIX ISA e e PIX ISA e e
ll s ll s

Figure A represents a decentralized MSSP model illustrating how multiple customers are
managed by a single MSSP provider delivering leveraged SOC monitoring services for
thier customers with locally installed RSA enVision systems.

Some customers also choose to share the event monitoring responsibilities and thus prefer
to have the appliance and console at their site. Some customers of enVision MSSP
partners choose to do employ a cooperating monitoring strategy with the service provider
whereby the customer monitors their events during the primary shift and then passes
responsibility to the MSSP during the off-hours and weekend coverage periods.

RSA enVision is an easily extensible system allowing for content sharing between
servers thus allowing an MSSP provider to leverage custom correlation rules, custom
reports, and custom event source descriptions between customer environments via
exportable XML packages.

RSA enVision in the Centralized MSSP Model

It is highly desirable to deploy enVision in a centralized or leveraged MSSP model

whereby log collection is distributed and all the logs and monitoring is sent to the MSSP
provider.

In the Centralized MSSP environment the MSSP provider sets up an LS cluster at the
central site consisting of an Application Server, a Data Server, and Network Attached
Storage Array. This central LS cluster can then serve multiple managed customers by
installing enVision Appliance Remote Collectors at the customer site which feed into the
centralized LS cluster providing real-time monitoring of events while at the same time
allowing secure and compressed transfer of log data to the central site for long term
storage and analysis.

The centralized environment offers all the necessary aspects of a multi-tenant log
management where division of data and division of role is paramount. RSA enVision
stores logs in a simple and secure indexed file system known as the IPDB (Internet
Protocol Database). There is a unique IPDB log system for each enVision collector thus
each customer has their own unique log storage silo. The IPDB is created at the Remote
Collector for real-time processing and forwarded on a scheduled basis to the Central LS
DSRV to be stored on the NAS for long-term storage and analysis.

Figure B.
MSSP
App Switch
Server NAS
Data Storage
Server

Interne
t

Customer Customer
A B
Remote Remote
Collector Collector
1000 EPS 2000 EPS

Check Windo Check Windo

CISC Micro PCI PCI CISC Micro PCI PCI
point ws point ws
ISS O soft Devic Devic ISS O soft Devic Devic
Firewa Server Firewa Server
PIX ISA e e PIX ISA e e
ll s ll s
Figure B represents a centralized MSSP model illustrating how multiple customers are
managed from a single MSSP provider delivering leveraged SOC monitoring services for
their multiple customers.

In some cases MSSP providers choose to have no appliance installed at the customer sites
and instead have all events sent over the internet through secure VPN tunnel to
centralized “local” collectors at the MSSP as illustrated in Figure C.

Figure C.
 MSSP
App Switch
Server NAS
Data Storage
Server

Cust A Local Cust B Local

Collector Collector
5000 EPS 10000 EPS

Internet

Customer Customer
A B

Check Windo Check Windo

CISC Micro PCI CISC Micro PCI
point ws PCI point ws PCI
ISS O soft Devic ISS O soft Devic
Firewa Server Device Firewa Server Device
PIX ISA e PIX ISA e
ll s ll s

Figure C represents a centralized MSSP model using centralized local collectors thus
eliminating the need to install any hardware at the customer site.

The centralized local collectors provide model in Figure C all the same data segmentation
and multi-tenant benefits and centralized analysis benefits of the remote collector model
in Figure B. There can be up to three Local Collectors connected to the Master Data
Server providing a combined support capacity of up to 30,000 EPS and 6,000 Event
Sources. Additional Data Server/Collectors, known as slave sites, can be added either at
the MSSP or Customer location, to add capacity. Data Servers connect to each other to
provide centralized visibility to all the data from any Application Server.

All centralized models provide cross customer correlation advantages over the
decentralized model. If an attack occurs affecting multiple customers it may be easier to
detect since all of the activity spanning multiple customers can be seen in a single
analysis report, query, or rule-based correlated alert.
Some MSSP providers may selectively choose to leverage a collector by sending logs
from different customers to the same leveraged collector. This may be especially
desirable in those instances where the customers are very small with few log sources. In
these cases it is important to be cognizant of keeping customer log data both physically
and logically separate. Each log source is stored by it’s IP address/Event Source Type
pairing. In such cases MSSP providers will have a NAT (Network Address Translation)
device intercepting incoming log traffic to ensure IP addresses of the log sources are
unique to the Service Provider. In many cases the Service Provider is also managing the
customer networks and knows there are no IP/Event Source Type overlaps between their
managed customer environments. Logical division of data is governed by mapping Event
Source Groups (Device Groups) to User Groups.
Summary

The RSA enVision platform is a very flexible and adaptable solution well suited to the
MSSP providing SIEM services accommodating customers of all sizes with diverse
support requirements. Many RSA enVision Partners today, and their customers, enjoy the
benefits and rewards RSA enVision provides; leveraged security management for
customers, profitable MSSP offerings for RSA Partners (http://www.rsa.com/node.aspx?
id=1295)

To recap:

RSA enVision SIEM MSSP Deployment Options

 Centralized
 Multi-Tenant LS Cluster hosted at MSSP Provider
 Send Logs over WAN-SecureVPN to MSSP Provider and/or
 Install Remote Collector at Customer Site and forward logs to MSSP Provider
 Decentralized
 Appliance(s) installed at customer site
 Logs remain at customer site
 Appliance(s) managed remotely over secure VPN