RSA and Cisco SIEM Partnership

February, 2010

2

Agenda

Cisco – RSA/EMC Partnership Overview

Cisco – RSA enVision integrations

Enhancing security

Simplifying compliance

Optimizing network & IT operations

Comprehensive Cisco device coverage

Solution benefits

3

Cisco – RSA/EMC Partnership Overview

Cisco and RSA/EMC’s long standing partnership provides customers with tightly integrated and certified solutions in remote access, virtualization, DLP, Web security, wireless, core routing, & IP telephony

Two key proof points:

RSA Email DLP

“RSA Email DLP” software add-on for IronPort C-Series V7.0

Developed by Cisco based on RSA DLP SDK & policies

Available since Nov 2009 and offered by Cisco

33 deals closed in first 9 weeks of availability

Cisco IronPort RSA Email DLP add-on

#2. RSA DLP and Cisco IronPort offer built-in approach to data security

#1. VMware, Cisco and EMC partner to offer Vblock infrastructure packages

4

Cisco – RSA enVision Integrations (1/2)

High quality integrations due to Cisco and RSA partnership

– Sharing of roadmaps, log/event knowledge

– Optimized log/event parsing, correlation rules, and reports

20+ Cisco devices supported by RSA enVision

– Latest versions for Security, Networking, Wireless and Virtualization products

– Cisco updates supported by RSA typically within 1 quarter of production release

– enVision product infrastructure designed to be able to easily add Cisco devices

5

Cisco – RSA enVision Integrations (2/2)

RSA enVision - MARS integration highlights

– Capture all 100+ MARS alerts and correlate them with other devices & applications throughout your infrastructure OR

– Send all raw logs from MARS Archives to enVision for processing

6

RSA enVision Enhances Cisco’s Security Capabilities

RSA enVision improves Cisco’s security visibility

– Correlates alerts from Cisco devices with information across other event streams to improve protection of business critical data and assets

– Includes event streams from applications, databases, data loss prevention systems, physical and virtual servers, etc.

– Provides an interface to investigate issues Cisco devices identify

Logs and events from Cisco devices captured by enVision enable numerous use cases, e.g.:

– Latest IPS 7.0 reputation scoring

– Location aware access monitoring & alerting (via Cisco MSE)

– CS MARS & ASA Botnet detection

– Proactive views on Web Security Gateways

7

Use Case: Security Incident Classification(Leverages Cisco IPS 7.0 reputation score)

Cisco IPS 7.0 detects negative reputation

score signatures

RSA DLP detects information leaving network

Analyst investigates malware outbreak

DLP tells you if confidential data lost

as a result

Without enVision to correlate Cisco IPS and DLP events

• Analyst needs training in 2 products

• No single pane of glass to get full picture

Without DLP• True impact of

malware infection not known

Without Cisco IPS• Slower detection of

malware outbreak• More resource-

intensive investigation

DLP Network

8

Use Case: RSA enVision Uses Cisco Location Data to Enforce Business PolicyBefore: Without MSE - privileged usersin unauthorized locations are undetected

1 2

Enterprise Network

Finance Department

CafeteriaEvents

Analyst

Critical Host

Finance Manager accesses confidential data from her office. At lunch time she takes her laptop with her to finish working in the cafeteria.

RSA enVision detects when the user has accessed the financial database and on what device but cannot determine the location.

Analyst does not have location information needed to determine if an unauthorized location policy breach has occurred.

3

9

After: With MSE–Unauthorized location accessdetected immediately through correlated alert

1

2

EnterpriseNetwork

Events

Analyst

Critical Host

Finance Manager accesses confidential data from her office. At lunch time she takes her laptop with her to finish working in the cafeteria.

RSA enVision now receives location information from the Cisco MSE and correlates logs from the critical host to alert that policy violation has occurred.

RSA enVision alerts the analyst of the policy breach who can report the incident and take appropriate action.

Cisco MSE

Location

3

Use Case: RSA enVision Uses Cisco Location Data to Enforce Business Policy

Finance Department

Cafeteria

10

Example enVision SOC Dashboard

11

RSA enVision In Action At a SOCEMC Critical Incident Response Center

12

RSA enVision Simplifies Compliance for Cisco Customers

Maps Cisco data back to specific standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI), Standards (ISO 27002, ITIL)

Presents Cisco log data alongside other compliance-relevant information (e.g. server logs, application activity, user activity, etc.)

1300 reports+ included out of the box, including many that are Cisco-specific

Easily customizable

13

Use Case: Auditor Asks for Logs of All Config Changes

applications / databases

Cisco Firewall Logs

Cisco Router Logs

Server Logs

Cisco Security Device Alerts

Analyst

14

Use Case: Auditor Asks for Logs of All Privileged Users

applications / databases

Cisco Firewall Logs

Cisco Router Logs

Server Logs

Cisco Security Device Alerts

Analyst

Active Directory

GREP… GREP… GREP… GREP… GREP…

15

Sample Compliance ReportsPCI: Cisco router config changes; Cisco ASA top sources

16

RSA enVision Optimizes IT & Network Operations for Cisco Customers

RSA enVision provides a single global view into all network activity, enabling IT operations analysts to

– Discover anomalies

– Quickly determine root cause of non-security related problems

Examples of issues easily identified with enVision:

– Configuration changes

– System failures

– System shutdowns

– Service restarts

17

Use Case: Security Change Audit & Compliance Enforcement for Cisco Network

Problem: Security ops requires full lifecycle view including change auditing capabilities across the Cisco network

– Who changed what and when? Was it approved?

Solution:

– Ionix NCM change management continually monitors configuration changes and notifies RSA enVision

– Delivers key data on in-process and out-of-process changes

– Who, what, when, approved/non-approved

Benefits:

– Auditability, visibility of IT Operations

– Identify approved and unapproved changes

Config

Change Configs & Out-of-Policy

Events

Network Security Usage & Status Events IT Administrator

reconfiguring network components

ReportsCorrelated

Alerts

EMC Ionix Network Configuration Manager

network

18

RSA: Broad and Deep Cisco SupportenVision integrated with 20+ Cisco devices

• Access Control Server - versions 3.3, 4.0, 4.2 (software only)

• Access Control Server - versions 4.0, 4.1, 4.2 (appliance)

• Secure Access Control Server Express - version 5.0

• Cisco Adaptive Security Appliance Software - versions 8.2, 7.1(2), 7.2 (to generate syslog events)

• Cisco ASA Security Services Module Software - version 5.1(1p1) (to generate IDS events)

• Aironet AP (Wireless Access Point) - version IOS 12.2

• Catalyst Switch 6500 CATOS - version 8.3 (alerting only)

• CiscoWorks Network Compliance Manager - version 1.4 SP2

• Content Engine - versions 5.0, 5.4

• Content Services Switch - versions 5.10, 8.10

• IronPort Email Security Appliance - version 5.7.0

• IronPort Web Security Appliance- version 5.7.0, 6.3

• Mobility Services Engine - version 5.2.91.0

• PIX Firewall - version 8.2, 7.0

• Router - version IOS, 12.4

• Secure IDS - versions 4.x, 5.0, 5.1, 6.0, 6.1, 6.2, 7.0

• Security Agent - versions 4.0, 5.1, 6.0

• Security Manager (also branded as CiscoWorks Common Services) - version 2.3, 3.0, 3.3

• VPN 3000 Concentrator - versions 3.6.7 , 4.0, 4.1, 4.7

• Wireless LAN Controller (WLC) - version 5.2.157.0

• CS MARS – version 6.x

• Cisco UCS Version 1.1

19

RSA: Broad and Deep Cisco SupportCisco device roadmap for Q1 2010

New devices

– Cisco MARS Archives

– Cisco FWSM

– Cisco ASR 1000 v2.5

Device updates

– Cisco Adaptive Security Appliance Software v8.0.2

– IronPort Email Security Appliance v7.0

– Router v15.M1

Cisco product updates supported by RSA typically within 1 quarter of production release

20

Cisco - RSA enVision Solution Benefits

Reduce security risk

•Prioritize incidents by correlating threats with data sensitivity

• Identify threats more quickly with smarter correlation based on location

Simplify Compliance

•Map Cisco data (plus other compliance-relevant data, e.g. server logs) back to specific standards & regulations

•1300+ reports out-of- the-box

Optimize IT Operations

•Audit security changes

•Enforce compliance•Ease troubleshooting via global view into network logs / events

21

22

Sample List of Standard Firewall Reports

Top 10 requested URL/FTP destinations

Top 20 bandwidth users

Top 10 source addresses of alarms

Denied inbound IP spoofing

Blocked URL events

Denied connections per hour

FTP requests: by hour, dept, foreign/local address

Outbound e-mail/ftp/HTTP traffic

23

Example ASA Reports