Professional Documents
Culture Documents
This document covers the features and design considerations when deploying RSA
enVision Security Information and Event Management System in a MSSP (Managed
Security Service Provider) environment.
MSSP providers need to consider the SIEM coverage from the small customers with few
event sources to the very large customers with very many event sources and very many
EPS, and everything in between. We will look at this in terms of small, medium, and
large customers.
There are basically two architectural models for deploying enVision in an MSSP
environment; centralized and decentralized. RSA enVision MSSP providers typically use
a decentralized model, a centralized model, and some MSSP providers use a combination
of both centralized and decentralized to meet the different needs of their customer base.
These decentralized RSA enVision installations are then remotely managed by MSSP
service provider typically over secure VPN connection from the MSSP SOC center where
SOC Analyst resources can be leveraged over multiple customers.
The choice of using a decentralized model is often dictated by the customer’s need to
keep log data at their site. Some European countries require that security log data not pass
out of the country so if an MSSP is serving customers in multiple countries they might be
required to provide a decentralized offering for certain customers with such requirements.
Figure A.
MSSP Decentralized
Intern Switch
et
Customer NAS
C Storage
Customer
Customer
A
ES-Appliance B
Up to 10k EPS ES-Appliance LS
Up to 5k EPS Cluster
10k+ EPS
Che Win
Micr
ckpo dow CIS PCI PCI
osof
int s ISS CO Devi Devi
t
Fire Serv PIX ce ce
ISA
wall ers
Figure A represents a decentralized MSSP model illustrating how multiple customers are
managed by a single MSSP provider delivering leveraged SOC monitoring services for
thier customers with locally installed RSA enVision systems.
Some customers also choose to share the event monitoring responsibilities and thus prefer
to have the appliance and console at their site. Some customers of enVision MSSP
partners choose to do employ a cooperating monitoring strategy with the service provider
whereby the customer monitors their events during the primary shift and then passes
responsibility to the MSSP during the off-hours and weekend coverage periods.
RSA enVision is an easily extensible system allowing for content sharing between
servers thus allowing an MSSP provider to leverage custom correlation rules, custom
reports, and custom event source descriptions between customer environments via
exportable XML packages.
In the Centralized MSSP environment the MSSP provider sets up an LS cluster at the
central site consisting of an Application Server, a Data Server, and Network Attached
Storage Array. This central LS cluster can then serve multiple managed customers by
installing enVision Appliance Remote Collectors at the customer site which feed into the
centralized LS cluster providing real-time monitoring of events while at the same time
allowing secure and compressed transfer of log data to the central site for long term
storage and analysis.
The centralized environment offers all the necessary aspects of a multi-tenant log
management where division of data and division of role is paramount. RSA enVision
stores logs in a simple and secure indexed file system known as the IPDB (Internet
Protocol Database). There is a unique IPDB log system for each enVision collector thus
each customer has their own unique log storage silo. The IPDB is created at the Remote
Collector for real-time processing and forwarded on a scheduled basis to the Central LS
DSRV to be stored on the NAS for long-term storage and analysis.
Figure B.
MSSP
App Switch
Server NAS
Data Storage
Server
Interne
t
Customer Customer
A B
Remote Remote
Collector Collector
1000 EPS 2000 EPS
In some cases MSSP providers choose to have no appliance installed at the customer sites
and instead have all events sent over the internet through secure VPN tunnel to
centralized “local” collectors at the MSSP as illustrated in Figure C.
Figure C.
MSSP
App Switch
Server NAS
Data Storage
Server
Internet
Customer Customer
A B
Figure C represents a centralized MSSP model using centralized local collectors thus
eliminating the need to install any hardware at the customer site.
The centralized local collectors provide model in Figure C all the same data segmentation
and multi-tenant benefits and centralized analysis benefits of the remote collector model
in Figure B. There can be up to three Local Collectors connected to the Master Data
Server providing a combined support capacity of up to 30,000 EPS and 6,000 Event
Sources. Additional Data Server/Collectors, known as slave sites, can be added either at
the MSSP or Customer location, to add capacity. Data Servers connect to each other to
provide centralized visibility to all the data from any Application Server.
All centralized models provide cross customer correlation advantages over the
decentralized model. If an attack occurs affecting multiple customers it may be easier to
detect since all of the activity spanning multiple customers can be seen in a single
analysis report, query, or rule-based correlated alert.
Some MSSP providers may selectively choose to leverage a collector by sending logs
from different customers to the same leveraged collector. This may be especially
desirable in those instances where the customers are very small with few log sources. In
these cases it is important to be cognizant of keeping customer log data both physically
and logically separate. Each log source is stored by it’s IP address/Event Source Type
pairing. In such cases MSSP providers will have a NAT (Network Address Translation)
device intercepting incoming log traffic to ensure IP addresses of the log sources are
unique to the Service Provider. In many cases the Service Provider is also managing the
customer networks and knows there are no IP/Event Source Type overlaps between their
managed customer environments. Logical division of data is governed by mapping Event
Source Groups (Device Groups) to User Groups.
Summary
The RSA enVision platform is a very flexible and adaptable solution well suited to the
MSSP providing SIEM services accommodating customers of all sizes with diverse
support requirements. Many RSA enVision Partners today, and their customers, enjoy the
benefits and rewards RSA enVision provides; leveraged security management for
customers, profitable MSSP offerings for RSA Partners (http://www.rsa.com/node.aspx?
id=1295)
To recap: