EnVision Overview Guide

RSA enVision 4.1 Overview Guide

Contact Information

Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks

RSA, the RSA Logo, RSA enVision, RSA Event Explorer and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.

License agreement

This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-party licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Portions of this application include technology used under license from Visual Mining, Inc. 2000-2010.

Portions of this application include iAnywhere technology, 2001-2010.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2011 EMC Corporation. All Rights Reserved. Published in the USA.September 2011

www.rsa.com

www.rsa.com/legal/trademarks_list.pdf


Contents

Preface................................................................................................................................... 5About This Guide................................................................................................................ 5

RSA enVision Documentation............................................................................................ 5

Related Documentation....................................................................................................... 6

Support and Service ............................................................................................................ 6

Chapter 1: About the RSA enVision Platform............................................... 9RSA enVision Solution....................................................................................................... 9

RSA enVision Platform .................................................................................................... 10

User Experience ................................................................................................................ 13

Chapter 2: Event Collection ................................................................................... 15Event Sources.................................................................................................................... 15

Message Categories........................................................................................................... 15

Event Storage .................................................................................................................... 17

Event Export ..................................................................................................................... 17

Chapter 3: Vulnerability and Asset Management ..................................... 19Asset Data ......................................................................................................................... 19

Vulnerability Data............................................................................................................. 20

Chapter 4: Incident Management........................................................................ 21Real-Time Alerts............................................................................................................... 21

Incident-Response Tasks................................................................................................... 24

Forensic Analysis .............................................................................................................. 25

Chapter 5: Reports and Queries.......................................................................... 29Reports .............................................................................................................................. 29

Queries .............................................................................................................................. 30

Chapter 6: Compliance.............................................................................................. 33

Chapter 7: Further Information and Assistance........................................ 35Help Systems..................................................................................................................... 35

Online Resources .............................................................................................................. 36

Event Source, Report, Correlation Rule, and VAM Updates ........................................... 38

Assistance.......................................................................................................................... 39

Glossary ............................................................................................................................. 41

Index ..................................................................................................................................... 47

Contents 3


Preface

About This Guide

This guide introduces RSA enVision features and capabilities. The intended audience for this guide includes enVision administrators, enVision users, or anyone who requires a high-level understanding of enVision.

RSA enVision Documentation

For information about the RSA enVision platform, see the following documentation:

Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. The latest version of the Release Notes is available on RSA SecurCare Online at https://knowledge.rsasecurity.com.

Overview Guide. Provides an introduction to RSA enVision platform features and capabilities.

Hardware Setup and Maintenance Guide. Provides instructions on setting up and maintaining RSA enVision appliances. Intended audience is the system administrator.

Configuration Guide. Provides instructions on configuring an RSA enVision site. Intended audience is the system administrator.

Migration Guide. Provides instructions on migrating data from a previous version of the RSA enVision platform to the current version.

Virtual Deployment Guide. Provides instructions on installing an RSA enVision single appliance site or Remote Collector on a virtual infrastructure.

Administrator’s Guide. Provides instructions on the basic setup and maintenance of the RSA enVision platform. Includes instructions for the most common administrator tasks.

User’s Guide. Provides information that helps users to get started using the RSA enVision platform. Includes instructions for the most common user tasks.

Backup and Recovery Guide. Provides instructions on backing up an RSA enVision system and recovering from a hardware failure.

Security Configuration Guide. Provides an overview of security configuration settings in the RSA enVision platform.

Universal Device Support Guide. Describes how to add log collection and analysis support for event sources that the RSA enVision platform does not support.

RSA enVision Help. Provides comprehensive instructions on setting up RSA enVision processing options and using RSA enVision analysis tools.

Preface 5

https://knowledge.rsasecurity.com


RSA continues to assess and improve the documentation. Check RSA SecurCare Online for the latest documentation.

Related Documentation

For information about the RSA enVision Event Explorer module, see the following documentation:

Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues.

Installation Guide. Provides instructions on installing the RSA enVision Event Explorer module on your client machine in separate guides for Microsoft Windows and Apple Macintosh operating systems. Intended audience is the end user.

RSA enVision Event Explorer Help. Provides comprehensive instructions on setting up and using the RSA enVision Event Explorer module.

For information about the RSA enVision EventSource Integrator, see the following documentation:

Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues.

Overview Guide. Provides an introduction to RSA enVision EventSource Integrator features and capabilities.

RSA enVision EventSource Integrator Help. Provides comprehensive instructions on using RSA enVision Event Source Integrator.

Support and Service

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. SecureCare Online also offers information on new releases, important technical news, and software downloads.

The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsa.com/support

RSA Secured Partner Solutions Directory www.rsasecured.com

6 Preface

https://knowledge.rsasecurity.com

www.rsa.com/support

www.rsasecured.com


Before You Call Customer Support

Make sure that you have direct access to the computer running the RSA enVision software.

Please have the following information available when you call:

One of the following:

• On a 60-series appliance, the serial number of the appliance.You can find the seven-character serial number on the chassis tag on the back of the appliance, or open a Dell Openmanage Server Administrator session, and click System > Properties > Summary to find the serial number in the chassis service tag field.

• On a virtual appliance, the serial number of the RSA enVision software.Open the C:\WINDOWS\system32\drivers\etc\Nie-oe.dat file, and locate the line that begins with “S/N=”.

RSA enVision software version number.

The name and version of the operating system under which the problem occurs.

On a virtual appliance, the VMware ESX or ESXi server details.

Preface 7


1 About the RSA enVision Platform

The RSA™ enVision® is a security information and event management (SIEM) solution. It collects log messages and vulnerability and asset data from the entire IT network, applies logic to the data, and provides actionable information in the form of reports and real-time alerts.

RSA enVision Solution

RSA enVision gives users a single, integrated SIEM solution for meeting the following business needs:

• Enhanced security

• Simplified compliance

• Optimized IT oversight

Enhanced Security

RSA enVision provides security specialists with a clear view of threats and risks and the means to counter them.

RSA enVision collects all the logs generated by network assets, such as servers, switches, routers, storage arrays, operating systems, and firewalls. It analyzes the logs in real time, and can generate alerts when it detects suspicious patterns of activity. Because enVision contains information about common threats, it detects many common security attacks.

In addition, enVision contains data from supported configuration management systems and asset scanners.The access to enVision data is secured with strong passwords. Using this data, enVision recognizes the asset under threat and calibrates the urgency of the alert.

Security staff can then use the RSA enVision Event Explorer module, an advanced analytical tool, to examine the full volume of stored and incoming data.

RSA enVision

InterpretsAnalyzes

Stores

Inputs Outputs

Log MessagesVulnerability Scans

AlertsReports

1: About the RSA enVision Platform 9


Simplified Compliance

RSA enVision eases the burden of complying with regulations, standards, and organizational policies. It enables event monitoring and incident response, and includes compliance reports tailored to specific requirements. For example, enVision provides reports for demonstrating compliance with laws (such as the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act) and with industry standards (such as the Payment Card Industry Data Security Standard and ISO 27002).

RSA enVision automates the process of collecting, sorting, analyzing, and storing log messages. All logs are gathered without filtration or normalization and are protected from tampering. Compliance specialists can find in the stored logs a complete accounting of network activity. RSA enVision thus provides a verifiably authentic archive of data that simplifies compliance with modern requirements and with whatever legislation may emerge in the future.

Optimized IT Oversight

Managed log data is the best source of information about infrastructure status and performance and the activities of applications and users.

RSA enVision can alert IT staff in real time to faulty equipment and anomalous network activity, and can also provide granular visibility into the specific behaviors of applications and end users. The incident-handling facilities of enVision manage the creation and assignment of remediation tasks to administrators and help desk personnel and assist in tracking their progress.

In addition, the enVision baselining, trending, and reporting functionality provides a long-term graphical overview of system performance and events.

RSA enVision Platform

RSA enVision scales from a single appliance to a large, distributed, multiple appliance system. In all deployments, authorized users can use enVision to find all the logs and other data.

Platform Components

RSA enVision consists of the following integrated components, each with a specialized function:

Collector. Receives and interprets log messages from network assets, and stores this event data in the LogSmart Internet Protocol Database (IPDB) (RSA refers to these processed log messages as events.).

Database Server (D-SRV). Retrieves event data from the IPDB in response to user requests.

Application Server (A-SRV). Runs the applications that enable user and administrator actions, such as creating users, querying the data, and directing enVision to generate alerts and reports. Users and administrators can log on to the enVision user interface through a web browser on their personal computers.

10 1: About the RSA enVision Platform


Event Explorer. A client application that is specialized for incident handling and forensic analysis. Event Explorer runs on users’ personal computers and connects to enVision to access the collected data.

The following figure illustrates the enVision components, their functions, and the connections among them.

Platform Deployments

RSA enVision runs on a standalone appliance or within a scalable, distributed architecture able to cope with the demands of the largest enterprise networks.

The simplest deployment has the enVision components (Collector, D-SRV, and A-SRV) preinstalled in one appliance. It can be supplemented with external storage.

Depending on the model, a single enVision appliance supports up to 14 simultaneous users. The high-end appliance can, with external storage, accommodate up to 1,250 event sources.



For larger deployments, the Collector, D-SRV, and A-SRV are each installed on a separate appliance and supplemented with network-attached storage. The appliances are collectively referred to as a site.

A site has one or more D-SRV appliances supporting multiple A-SRV appliances and Collector appliances, including Collectors in remote geographic locations.

In this distributed deployment, each A-SRV can accommodate 16 simultaneous users. A single Collector appliance in a site can accommodate up to 2,048 event sources, however, a Collector appliance in a remote geographic location can accommodate up to 1,024 event sources.

The largest deployments include several sites, each supporting multiple A-SRVs, D-SRVs, and Collectors.

For information on enVision deployments, contact your RSA sales representative, or go to www.rsa.com/products/envision/datasheets/9245_3in1_DS_0209-lowres.pdf.

Virtual Deployments

RSA enVision can be deployed on a virtual machine for single appliance and remote collector sites. For more information, see the RSA enVision 4.1 Virtual Deployment Guide.

A-SRV

Site 1

Site 2

Collector

A-SRV

CollectorCollector

D-SRV1

Logs

Event Sources

Logs

Event Sources

Logs

Event Sources

D-SRV2



User Experience

Users and administrators control RSA enVision and Event Explorer through graphical user interfaces (GUIs). enVision administrator creates users and user groups with varying levels of permissions, and each user sees only the operations for which permission has been granted.

RSA enVision GUI

All pages of the enVision GUI show the navigation tools in the left panel and the current window on the right.

The landing page is the Dashboard. Each user and administrator can configure a personal dashboard that shows a customized selection of reports. The navigation tree on the left is expanded at startup to show the available reports and those selected for display.

For example, the following figure shows an enVision landing page with the expanded navigation tree (Overview > Dashboard) on the left and the Dashboard window configured to show several graphical and tabular reports.

To navigate the enVision GUI, select a tab at the top of the left panel: Overview, Alerts, Analysis, or Reports. The panel refreshes to display the choices available under the selected tab.

Tabs

Availablereports

Other overviewtopics

User-selected reports



RSA enVision provides a comprehensive Help system with instructions for using the features on each window. When using any window in the GUI, click the question mark

icon to see context-sensitive Help for that window. RSA enVision displays the

Help topic for the current window in a new browser window, with the Help Table of Contents in the left panel. The left panel also displays links to a Help index and a search field.

RSA enVision Event Explorer GUI

Event Explorer is specialized for managing incidents and performing forensic analysis. Event Explorer receives the incidents that enVision generates and enables users to analyze the data that the platform collects.

The Event Explorer GUI has two modes related to its primary functions: Incident Management mode (for handling incidents) and Event Trace Library mode (for forensic analysis). Each mode has individual panels and views that display the details for incident management and forensic analysis. You can select which mode displays by default when you open Event Explorer.

Event Explorer Help is available by clicking Help on the menu bar. Event Explorer displays the Help Table of Contents in a new browser window. It includes an index and a search field.



2 Event Collection

RSA enVision collects, analyzes, and stores logs from event sources throughout an organization’s IT environment. The logs and the descriptive metadata that enVision adds are stored in the LogSmart Internet Protocol Database (IPDB).

Event Sources

Event sources are the IP assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls.

RSA enVision administrator configures event sources to send logs to the Collector or configures the Collector to poll event sources and retrieve logs. As a result, the Collector receives all system logs in their original form, without filtering, normalization, or compression.

New event sources are being developed to match the Content 2.0 standard. The RSA enVision 4.1 release supports the Universal Event Table in report and query interface. This table is a new data structure that represents all the event data contained within Content 2.0 event sources. For more information see the Help topic, “Content 2.0.”

RSA enVision EventSource Integrator is a graphical tool that enables you to integrate event sources with RSA enVision. Using EventSource Integrator, you can define how enVision reads and monitors the events from event sources. These definitions are stored as an XML file, called an event source XML file, which is deployed on enVision. Using EventSource Integrator, you can create a new event source XML file for an event source that is not currently supported by enVision or edit an existing event source XML file. After you deploy the event source XML file, enVision is able to interpret the events and monitor the event source.

Message Categories

The Collector is equipped with files for each supported event source. These files enable the Collector to interpret the often cryptic log messages, no matter what format the messages use. RSA updates these files frequently to support new event sources and new log messages that event source vendors have added. RSA enVision collects messages in syslog format and also has other collection services including NIC Windows Service, NIC FW-1 LEA Client Service, NIC File Reader Service, NIC SFTP Agent, NIC ODBC Service, NIC Secure SDEE Collection Service, VMware, and Windows 2008 Service.

For each message, the Collector records the event source and time received and assigns the message a numeric ID. The Collector also assigns each message to a message category that indicates the kind of action that causes the message. This descriptive metadata (source, time, ID, and category) is used in configuring alerts and in retrieving events for forensic analysis.

2: Event Collection 15


The message categories are hierarchical. The top level, called the NIC category, has ten possible values:

• Attacks• Reconnaissance (such as port scans)• Content (web content events, such as normal transactions or suspect requests)• Authentication (authentication events)• User (such as logon and file access)• Policies (such as firewall rule events)• System (hardware errors)• Configuration (administrator modifications)• Network (such as usage or routing errors)

• Other

Within NIC categories, messages are further classified by alert category and then by up to three levels of event category. For example, a log message in the Attacks category might be further categorized as Malicious Code (alert category), and further as a Worm (event category).

The following figure shows a five-level message classification, as well as the syntax for specifying categories when configuring alerts or conducting analysis.

RSA enVision administrator uses message categories in configuring alerts. When incoming messages and possibly other criteria, such as event source or time frame, meet the conditions that the administrator has specified for an alert, the alert is triggered immediately.

In addition, the categorization of log messages enables enVision to establish activity baselines, which it can use to determine whether a certain activity or level of activity is anomalous. The categorized log data is also used for alerting and reporting.

Attacks.Access.Informational .Network Based .TELNET

NIC Category

Alert Category

Event Categories

16 2: Event Collection


Event Storage

After enVision analyzes log messages, it stores the original log messages and their descriptive metadata in the IPDB.

This method of storage has several advantages over traditional relational databases. The IPDB:

• Works efficiently with unstructured data without requiring preprocessing or data normalization.

• Optimizes retrieval based on event source, message category, event ID, and time received.

• Uses a write-once-read-many approach that ensures that after data is committed to the database, it can never be altered.

The access to the IPDB data is controlled and only authorized users are allowed to access the data. To ensure integrity of the event data collected in the IPDB, the SHA-256 hash of the event data is computed and stored. The enVision administrator can verify the integrity of the event data stored in the IPDB using the maintenance tool. For more information on the maintenance tool, see the Help topic, “Maintenance Command Line Interface Utility (lsmaint.exe) Actions and Arguments.”

Event Export

RSA enVision has the capability to export event data from IPDB to external data destinations, such as databases or data warehouse technologies and event processing systems. You can then use the data for data aggregation, staking, enrichment, and further investigation.

When you install version 4.1 of enVision, you can export events from the platform. Events can be exported at scheduled intervals to a comma-separated value (CSV) file which can be imported into a desired destination. For more information, see the Administrator’s Guide.

2: Event Collection 17


3 Vulnerability and Asset Management

IT assets (hosts, software systems, and other devices) have well-known vulnerabilities. RSA enVision uses this information about enterprise assets to minimize false positive alerts and to prioritize alerts. Vulnerability information also provides the contextual data that security analysts need to respond to incidents and to perform forensic analysis.

Both enVision and RSA enVision Event Explorer have vulnerability and asset browsers that enable security analysts to access this information quickly and efficiently.

Asset Data

RSA enVision maintains an Asset Database (ADB) containing information about the assets reported by one of the supported asset tracking tools (asset scanning devices).

RSA enVision supplements its own information about assets by importing data from third-party asset scanners and configuration management systems. For example, enVision imports data from the QualysGuard Security and Compliance Suite.

If one of these third-party scanners reports an asset that is not in the enVision ADB, enVision creates a new record for the asset and adds any available information, such as operating system, ports, and services.

RSA enVision

Knows Asset A and its importanceKnows Asset A’s vulnerabilies and threatsKnows events that signal an attack on Asset A

Logs

Asset A

ADBVDBIPDB

3: Vulnerability and Asset Management 19


Vulnerability Data

The enVision Vulnerability Knowledge Database (VDB) is an embedded repository of vulnerability information.

The VDB is derived from the National Vulnerability Database of the U. S. Department of Homeland Security. The National Vulnerability Database integrates all vulnerability data from publicly available resources. It contains detailed descriptions about each current vulnerability, such as potential impact, the type of losses caused, and an indication of how an attack can result in a confidentiality breach.

Vulnerability and asset management features enable enVision users to configure confidence level filtering on the detected set of vulnerabilities of each scanned asset. When enVision receives event information from a supported intrusion detection system (IDS) or intrusion prevention system (IPS), it applies the confidence level filter to respond appropriately to the received information.

Examples of supported IDS and IPS devices include Juniper Networks Intrusion Detection and Prevention Appliances and Cisco Intrusion Prevention Sensor. These systems continuously scan the network to detect such threats as outsiders gathering information about the assets.

RSA frequently updates vulnerability information, threat signatures, and support for vulnerability scanners. Customers can download these updates to the enVision VDB.

20 3: Vulnerability and Asset Management


4 Incident Management

An incident is an event or set of events that warrants further investigation, such as a disk failure, an unexpected spike in network traffic, or the signature of a known threat. Because of the wealth of data that the RSA enVision platform automatically collects, it can be configured to recognize incidents and issue real-time alerts.

The alert is the beginning of the enVision incident-management process. RSA enVision provides for closed-loop incident management, from configuring alerts by creating and assigning response tasks to monitoring incident response and resolution.

Real-Time Alerts

RSA enVision generates real-time alerts in response to sets of circumstances that the administrator has specified. RSA enVision analyzes all incoming events and issues an alert immediately when the specified conditions are met.

The alert is reported in the enVision GUI and can be directed to other destinations, such as e-mail, instant message, or a text file stored on the local system. An alert can also be configured to automatically generate an incident-response task.

Views

A view defines the devices, messages, correlated rules, and user-defined criteria for which enVision issues alerts. An enVision administrator creates views that specify the conditions—the event sources, events, user-defined criteria, and correlations among criteria—that are worthy of investigation.

Any of the following conditions can generate an alert:

• A single event message, such as one reporting an asset malfunction

• A string within an event message, such as content that matches a configured list (referred to as a watchlist) of known spammers

• A specified combination of events within a given time frame, such as a series of logon attempts that suggest a possible denial-of-service attack

Within a view, an administrator can specify filters and thresholds, such as a percentage increase of activity above the baseline, to rate the severity of the events and focus on those of highest priority. Views can also use watchlists, which filter events by string, IP address, port, protocol, or regular expressions.

An administrator can also configure the view to send various alerts using specific protocols such as SNMP, e-mail, instant message, or text file. These configuration settings are called output actions. Another possible output action is the automatic generation of an incident-response task. Each view specifies the users who are permitted to monitor the alerts generated for that view.

4: Incident Management 21


Correlated Alerts

Views frequently include correlation rules for alerts. A correlation rule specifies a set of events within a time period and a set of conditions that will generate an alert. The correlation rule includes a message ID and message text for the alert.

For example, the following figure illustrates the logic of a correlation rule for recognizing a threat.

When the correlation rule criteria are met, enVision generates the alert message defined in the view and sends that alert to the specified destination.

RSA enVision provides a wide range of correlation rules that detect incidents and reduce or eliminate the risk of exposure. The enVision administrator can enhance or modify these rules to suit the environment. The set of predefined rules is continually updated and available for download from RSA SecurCare Online.

Cisco PIX Firewall 106001Cisco PIX Firewall 106010Cisco PIX Firewall 106012Cisco PIX Firewall 106015Cisco PIX Firewall 106016Cisco PIX Firewall 307001Check Point Firewall-1 050010

Defined set of events

+ filters, and conditionsDefined thresholds,

Specified time period

22 4: Incident Management


Monitoring Alerts by Using Views

Administrators and users with the appropriate permissions can monitor alerts in the RSA enVision GUI and in the destination specified in the associated view.

For example, the following figure shows how the enVision GUI displays the number and severity of alerts by NIC category above the established baseline. From this window, administrators and users can drill down to display the particular alerts that have occurred and drill down further for information on the messages that triggered an alert.

RSA enVision can also generate summary reports of alerts, such as recent alerts, alerts by category, and alert trends.

Alert levelsby NICcategory

Alert levelsby severity

Alert details



Incident-Response Tasks

RSA enVision can group events into tasks for the purpose of investigation, and can assign these tasks to analysts (or to an intermediate dispatcher) for response. Analysts display and work with the tasks in RSA enVision Event Explorer. Managers and administrators can monitor the analysts’ progress in the enVision GUI.

Monitoring Alerts by Creating Tasks

In enVision, the administrator can specify the creation of a task based on a correlated alert. When the alert fires, enVision creates the task and sends it to Event Explorer for resolution or to an external application, such as a third-party ticketing system.

Managing Tasks in RSA enVision Event Explorer

When enVision forwards tasks to Event Explorer, Event Explorer displays a list of tasks and the details of individual tasks.

Depending on the Event Explorer user’s permissions (as set by the enVision administrator), the user assigned to a task can acknowledge the task, view and edit task data, assign the task to another analyst, and close or delete the task. The user can also escalate the task an external application, such as a ticketing system. The external application can update tasks and send the updates back to Event Explorer.

Multiple users can access the same task from different Event Explorer clients. Event Explorer displays a warning message if different users attempt to make conflicting changes to the task.

New Task Created

Task Opened

Task Closed

Create

Acknowledge

EscalateClose

Delete

Reopen

Delete

Delete

Close

External Application(Ticketing System) Update

Task

Task escalated to external application



Monitoring Tasks

Administrators can monitor the status of tasks in the RSA enVision GUI, as illustrated in the following figure.

Administrators can also generate summary reports of tasks, showing such productivity metrics as departmental workload, open tasks, and time to closure.

Forensic Analysis

Many RSA enVision features rely on real-time alerts and other dynamic information to help resolve incidents in progress. Sometimes analysts need to drill into historical (static) data to research some event that happened in the past. Research using static data is called forensic analysis.

Forensic analysis can help determine a sequence of events leading to a given state of a network asset. Forensic analysis can be used when an asset fails, is attacked, or is otherwise compromised.



The following figure illustrates how events stored in the enVision IPDB can indicate suspicious activity on an event source, in this case a laptop containing sensitive data.

Event Explorer is the primary interface used for both real-time and historical data mining. Event Explorer is a client application that analysts use with enVision to retrieve and examine event data. The user must have an enVision account to use Event Explorer.

Event log analysis involves logging on to the relevant Application Server and creating an event trace to retrieve specific messages. The event trace wizard (a tool within Event Explorer) assists users in setting up and managing an event trace.

An event trace specifies the messages, the event sources that generated the messages, and the time frame in which the messages were received by enVision. Users can limit the data retrieved by filtering for specific message content. Event traces display returned data in tables and charts:

• Standard tables and charts enable data selection without requiring users to know how to use the SQL commands that Event Explorer uses internally.

• Advanced tables and charts require users to enter SQL statements to define how the data is displayed, providing more control over data selection and display.



The following figure shows a standard table trace view.

RSA Event Explorer can also display data as an area, stacking area, bar, stacking bar, line, plot, pie, bubble, or spider web chart. The following figure shows a standard chart trace view.

The data displayed in tables and charts derives from actual or aggregated logs (events) and can provide a trail of events causing an asset compromise or failure.



5 Reports and Queries

Reports and queries offer complementary methods to summarize information about the event sources monitored by RSA enVision.

Reports

Reports provide convenient summaries of incidents and security-related statistics for defined time periods. Reports support incident handling, workflow process management, and auditing needs by providing essential statistics in graphs or tables.

RSA enVision provides over 1200 standard reports that gather common network security and traffic analysis statistics into tables and graphs. Administrators can copy and modify these reports or create custom reports to meet specific reporting needs.

Administrators and users with the appropriate permissions can copy and modify the reports, or create custom reports to meet specific reporting needs. Optionally, a report can run once on a specified day or run repeatedly at specified times.

RSA enVision can archive or delete generated reports that no longer need to be viewed through the UI.

RSA enVision can e-mail generated reports to departments and people who need them such as IT, human resources, the CIO office, compliance officers, and managers.

RSA enVision provides reports for security, host, network, storage, and other devices.

RSA enVision also provides a number of report packages to satisfy compliance needs such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA).

5: Reports and Queries 29


An enVision report consists of a single graph or a single table. For some purposes, a user may need more data than can be included in a single graph or table. RSA enVision can group multiple reports together so that they run at the same time.

The following figure shows examples of a graphical report and a tabular report.

Queries

Queries are similar to reports but are only run ad hoc. They generally execute faster, as they are intended to deal with smaller amounts of data than reports. A query returns only tabular data. Analysts might use queries in forensic analysis, for example to drill quickly into an alert or other condition discovered in RSA enVision Event Explorer or to audit some past event.

Queries help users and administrators retrieve and examine any data collected by enVision. Query results can be based on IP addresses, dates and times, event message types, and other criteria. Users can generate a query in response to an alert condition appearing in Event Explorer.

Queries use SQL syntax to construct statements for accessing database tables for conditions and events including:

• General traffic flows and events that were allowed

• Accesses that were denied or prevented from happening based on policy

• Status and health parameters

• URL information indicating where users have visited

Graphical Report

Tabular Report

30 5: Reports and Queries


Users can compose simple or complex queries:

• A simple query is a single logical statement (a single row in the Edit query table).

• A complex query consists of multiple statements (multiple rows in the Edit query table) logically joined using AND or OR. Multiple statements can narrow a query or extract a more accurate set of results for given criteria.

The following figure shows the Create New Query window.

Edit query

Select device group

Select time range

Run the query

5: Reports and Queries 31


6 Compliance

Organizations often must comply with organizational security requirements or regulations imposed by the state or federal government. RSA enVision helps meet compliance needs by monitoring and reporting on the following IT criteria used to show whether an organization is in compliance:

• Access control

• Configuration control

• Malicious software

• Policy enforcements

• User monitoring and management

• Environmental and transmissions security

RSA enVision helps organizations collect and maintain evidence of compliance in the form of reports on mandated systems. Compliance packages are sets of report templates that summarize the precise data needed by a regulatory body.

RSA enVision offers the following regulatory compliance packages:

• BASEL II—International Convergence of Capital Measurement and Capital Standards

• Bill 198—Ontario Securities Commission regulations

• FISMA—Federal Information Security Management Act

• GPG-13—Good Practice Guide 13

• GLBA—Gramm-Leach-Bliley Act

• HIPAA—Health Insurance Portability and Accountability Act

• ISO 27002—Best practice recommendations on information security management

• Memo 22—Protective monitoring of UK National Infrastructure Security systems

• NERC—North American Electric Reliability Council

• NISPOM—National Industrial Security Program Operating Manual

• PCI—Payment Card Industry Data Security Standard

• SOX—Sarbanes-Oxley Act

• SAS 70—Statement on Auditing Standards No. 70

6: Compliance 33


7 Further Information and Assistance

RSA provides numerous sources of additional information and hands-on assistance with deploying and using the RSA enVision platform.

Help Systems

The primary source of usage and administrative information about enVision is the Help system. Both enVision and RSA enVision Event Explorer have embedded Help systems. You can also download and view the Help separately from the products through RSA SecurCare Online.

Locate Embedded Help

To find the Help within enVision:

Do one of the following:

• On the enVision navigation panel, select Overview > Best Practices > Product Usage > Help to view the Help Table of Contents.

• On any enVision window, click the question mark icon to view the Help

topic that describes the current window.

The Help is displayed in a new window.

To find the Help within Event Explorer:

On any Event Explorer page, click Help to view the Help Table of Contents.

The Help is displayed in a new window.

Download Stand-Alone Help

To download the RSA enVision Help:

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see “Accessing RSA SecurCare Online” on page 37.)

2. Click Home > RSA enVision > Product Documentation > RSA enVision Platform 4.1 Documentation > RSA enVision 4.1 Online Help.

3. On the File Download pop-up window, click Save.

4. Specify the download destination, or accept the default. Click Save.

5. Unzip the downloaded Help files.

6. In the folder containing the unzipped Help files, click nic.htm to open the Help. The Table of Contents is displayed, with links to all the Help topics.

7: Further Information and Assistance 35


To download the Event Explorer Help:

1. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. (For registration information, see “Accessing RSA SecurCare Online” on page 37.)

2. Click Home > RSA enVision > Product Documentation > Event Explorer 4.1 Documentation > Event Explorer Online Help Files.

3. On the File Download pop-up window, click Save.

4. Specify the download destination, or accept the default. Click Save.

5. Unzip the downloaded Help files.

6. In the folder containing the unzipped Help files, click Event_Explorer.htm to open the Help. (If prompted to accept Active X content, click Yes.)The Table of Contents is displayed, with links to all the Help topics.

Online Resources

The RSA web site and RSA SecurCare Online, an e-support system, provide a wealth of resources for RSA customers including technical information, solutions, and support.

RSA Web Site

On the RSA enVision product pages on the RSA web site, www.rsa.com, you can find:

• Descriptions of enVision, including white papers, solution summaries, data sheets, and news releases

• A link to the RSA enVision Intelligence Community, an active online community of enVision users, at https://rsaenvision.lithium.com/nic/user_signon

• A link to RSA SecurCare Online at https://knowledge.rsasecurity.com

• A link to a list of event sources that enVision supports at http://rsa.com/rsasecured/results.aspx?program=116

RSA SecurCare Online

Within SecurCare Online, https://knowledge.rsasecurity.com, you can access:

• RSA enVision Service Pack Updates

• A list of supported event sources (devices) and their configuration guides

• RSA enVision Event Source Updates (including event sources, correlation rules, and reports)

• RSA enVision VAM & Signature Updates

• Sample watchlists

• Technical Knowledge Base (product issues and resolution)

36 7: Further Information and Assistance


• Product documentation for enVision and Event Explorer:

– RSA enVision Help– RSA enVision Release Notes– RSA enVision Overview Guide– RSA enVision Hardware Setup and Maintenance Guide– RSA enVision Configuration Guide– RSA enVision Migration Guide– RSA enVision Virtual Deployment Guide– RSA enVision Administrator’s Guide– RSA enVision User’s Guide– RSA enVision Backup and Recovery Guide– RSA enVision Security Configuration Guide– RSA enVision Universal Device Support Guide– RSA enVision Event Explorer Help– RSA enVision Event Explorer Release Notes– RSA enVision Event Explorer Installation Guide

Accessing RSA SecurCare Online

RSA SecurCare Online is available to customers who have an RSA product covered under a maintenance contract. Register with SecurCare Online from the RSA web site by selecting Support > RSA SecurCare Online e-support system > Register for RSA SecurCare Online, or go to https://knowledge.rsasecurity.com/registration.asp.



Event Source, Report, Correlation Rule, and VAM Updates

RSA is continually adding and updating event source support, reports, correlation rules, and VAM data.

If you have an RSA maintenance contract, you will receive e-mail notification of these updates as soon as they become available. You can then log on to SecurCare Online and download the update packages. (The e-mail notification includes a link to SecurCare Online. For registration information, see the previous section, “Accessing RSA SecurCare Online.”)

Event Source Updates include files that enable the RSA enVision Collectors to recognize additional event sources and to interpret their log messages. Updates also include files that enable the Collectors to interpret log messages that event source vendors have recently added.

Event Source Updates also contain new reports, as well as new correlation rules that you can add to enVision and use when configuring correlated alerts.

VAM and Signature Updates enable the enVision vulnerability and asset manager to recognize additional network assets and new vulnerabilities.

38 7: Further Information and Assistance


Assistance

As an RSA enVision customer, you can get hands-on assistance in the form of technical support, training, professional services, or outsourcing to RSA partners:

Technical Support. Support is available by telephone and the RSA SecurCare Online e-support service. For instructions and telephone numbers, see RSA.com > Support > Contacting Support, or go to http://rsa.com/node.aspx?id=1068.

Training. RSA offers instruction in enVision administration and operations at customer sites and at RSA and EMC facilities worldwide. For courses available and information on registration, see RSA.com > Services > Training & Certification, or go to http://rsa.com/node.aspx?id=1258.

Professional Services. RSA Professional Services offers end-to-end Security Information and Event Management (SIEM) services, including strategy development, solution design, enVision deployment, and staff augmentation and assistance. RSA enVision is most effective when combined with supporting policies and procedures for incident handling. RSA Professional Services can help customers to leverage their investment in the product by building out a security operations program with enVision as the core technology. For more information, see RSA.com > Services or your sales representative, or go to http://rsa.com/node.aspx?id=1243.

RSA partners. RSA has business partners who specialize in SIEM using the RSA enVision platform. To explore outsourcing some or all of your organization’s SIEM activities and to identify a potential source of assistance, see RSA.com > Partners > Find a Business Partner, or go to http://www.rsasecurity.com/partners/partnerfinder.asp.



Glossary

A-SRVSee Application Server.

ad hoc reportAn unscheduled report that runs immediately.

ADBSee Asset Database.

administratorA user responsible for setting up and maintaining the RSA enVision platform. An administrator has access to all enVision functions.

alertAn indication that an event, or a sequence of events, requires further investigation. The enVision platform sends alerts based on messages received under a configured set of circumstances such as filters. The administrator defines alerts for each view.

Alert History toolThe RSA enVision tool that is used to display alerts from the events database.

Alerts moduleThe RSA enVision module that provides tools to monitor, display, and configure alerts.

Analysis moduleThe RSA enVision module that provides tools to view, query, and analyze collected data.

applianceThe hardware on which RSA enVision software is deployed. See single appliance site and multiple appliance site.

Application Server (A-SRV)The appliance or component of the RSA enVision platform that supports interactive users and runs the suite of enVision analysis tools. In a single appliance site, the Application Server (A-SRV) is a component of the enVision system. In a multiple appliance site, the A-SRV is installed on its own appliance. See single appliance site and multiple appliance site.

assetA system, such as a host, software system, workstation, or device, that is within a network and makes up the enterprise environment.

Asset Database (ADB)A unified view of assets created by merging data from supported vulnerability assessment (VA) tools and imported asset information in the asset tracking tools. The ADB provides security managers with insight into their operations.

Glossary 41


attribute categoryA group of categories defined by the RSA enVision platform for device and asset attributes. The nine categories are properties, location, organization, owner, physical, function, importance, vulnerability, and zone. Users can define custom categories.

bind reportA group of reports that can be scheduled to run as a single report.

collectionThe process of collecting, analyzing, and storing logs from event sources. the RSA enVision platform stores the logs, with descriptive metadata, in the Log Smart Internet Protocol Database (IPDB).

CollectorThe appliance or component of the RSA enVision platform that captures incoming events. In a single appliance site, the Collector is a component of the enVision system. In a multiple appliance site, the Collector is installed on its own appliance.

Common Storage Directory (CSD)A single directory that contains the configuration and statistical information for data collected on a site. The Common Storage Directory (CSD) can be located on a single appliance site, on the Database Server of a multiple appliance site, or on the Remote Collector of a distributed system.

computer nameSee node.

confidence level filteringA filter defined by the administrator to determine if a supported intrusion detection system (IDS) or an intrusion prevention system (IPS) can be trusted for its truthfulness and applicability. The confidence level detects if a message from an IDS or an IPS should be considered an alert.

Configuration database (nic.db)A repository that stores a user’s configuration settings such as user information, permissions, and views.

correlationA relationship between a set of events and a set of specific conditions.

D-SRVSee Database Server.

Database Server (D-SRV)The appliance or component of the RSA enVision platform that manages access and retrieval of captured events. In a single appliance site, the Database Server (D-SRV) is a component of the enVision system. In a multiple appliance site, the D-SRV is installed on its own appliance. See single appliance site and multiple appliance site.

device See event source.

device classIdentifies the classification of the event source. A device class provides a framework for organizing event sources by their general function.

42 Glossary


device type (dtype)An assigned internal name for an event source that is used by RSA enVision tools and utilities. The dtype value is displayed on the enVision interface, reports, and queries.

EASee Enhanced Availability.

Enhanced Availability (EA)A site with Enhanced Availability (EA) is a multiple appliance site where the Local Collector (LC) functionality runs on Cluster Appliances (CAs).

EPSSee events per second.

event categorySystem-defined or administrator-defined group of messages for alerting and reporting that is assigned across device classes.

Event ExplorerRSA enVision module that provides advanced tools for analysis of real-time and historical data. These tools allow users to sift through logged data and apply security forensics.

event sourceAn asset such as a physical device, software, or appliance that produces a message (log) and is configured to send the log to the RSA enVision platform. Event sources include firewalls, VPNs, antivirus software, operating systems, security platforms, routers, and switches.

events per second (EPS)Events captured per second by the RSA enVision platform.

incident escalationSee task escalation.

incident managementSee task triage.

IPDBSee LogSmart IPDB.

LCSee Local Collector.

Local Collector (LC)A component of an RSA enVision multiple appliance site that captures incoming events. A multiple appliance site can have up to three Local Collectors (LCs). See multiple appliance site.

LogSmart IPDBThe LogSmart Internet Protocol Database (IPDB) stores internet protocol-based information, storing each source element in a separate container. Each log data message is identified by the IP address of the event source from which the message originated. The LogSmart IPDB maps this IP address to the originating event source and determines the format of the incoming message. The log message is the metadata that describes the event.

Glossary 43


message categoryA group of messages. Message categories are hierarchical, consisting of up to five levels: a NIC category, an alert category, and up to three levels of event category.

message variableDefines a type of data that is extracted from message payloads. Message variables are useful when analyzing and reporting on data.

monitored deviceA supported event source that has been configured to send event messages to the RSA enVision platform. The enVision platform collects and stores events from monitored devices.

multiple appliance siteAn RSA enVision site in which each enVision component (Application, Collector, and Database) is on its own appliance.

NICThe acronym used to label many essential RSA enVision components, services, and tools.

NIC databaseSee Configuration database (nic.db).

NIC domainA group of multiple appliance sites that constitute an organization's entire deployment of the RSA enVision platform. One site acts as the NIC domain master site.

NIC message IDA number that identifies a message. This number may or may not be the same as the vendor message ID.

NIC System deviceGenerates event messages to indicate the health and activity of the RSA enVision platform, such as disk space usage, current EPS, data retrieval statistics, and user activity messages.

NIC_ViewAllows users to monitor the health of the RSA enVision system. The NIC_View alerts users to problems within the enVision software environment.

nodeAn appliance in an RSA enVision site.

output actionConfigured notification method for alerts. The primary output actions are SMTP, SNMP, SNPP, Instant Messenger, syslog, run a command, text file, and task triage.

Overview moduleThe RSA enVision module that provides tools to configure the enVision platform and monitor system health and performance.

RCSee Remote Collector.

44 Glossary


Remote Collector (RC)An optional component of an RSA enVision multiple appliance site that captures incoming events at a remote location. A Remote Collector (RC) runs on its own appliance. Up to 16 RCs can be associated with a site.

Reports moduleThe RSA enVision module that provides tools to run standard network security and traffic analysis reports, or create and run custom reports.

single appliance siteAn RSA enVision site in which all enVision components (Application, Collector, and Database) are on one appliance.

siteThe basis on which the RSA enVision platform is deployed. Each site consists of three main components: Application Server, Collector, and Database Server.

site nameThe name of the site, defined during the configuration of the RSA enVision platform.

standard reportReports that are supplied within the RSA enVision platform for compliance, correlated alerts, event sources, as well as for task triage, and vulnerability and asset management.

task escalationA function that allows users to send tasks to an external application, such as a ticketing system, for offline investigation.

task triageA feature that allows users to group events into tasks for the purpose of investigation. Tasks can be further analyzed in the RSA enVision Event Explorer module, escalated to an external ticketing system, or both.

trace viewA set of parameters that define the information that is displayed in the form of tables and charts. The two forms of trace views are standard and advanced trace views.

UDCSee Universal Device Collection.

Universal Device Collection (UDC)Allows the RSA enVision platform to collect log data from any event source that logs through SNMP, ODBC, or File Reader.

VAMSee vulnerability and asset management.

VDBSee Vulnerability Knowledge Database.

viewAn administrator-defined set of event sources, messages, correlation rules, and criteria, within a single site, for which the RSA enVision platform issues alerts.

Glossary 45


vulnerability and asset managementA feature that provides unified management of assets and vulnerability incident analysis.

Vulnerability Knowledge Database (VDB)An embedded repository of vulnerability information derived from the National Vulnerability Database (NVD).

watchlistA named collection of strings that represent a list of like-values. A watchlist can easily function as a filter for events in reporting and alerting.

46 Glossary


Index

AADB. See Asset Databasealerts

correlated alerts, 22correlation rules, 22described, 21monitoring, 23–24real-time alerts, 21views, 21

analysisEvent Explorer, 26–27event traces, 26–27examining historical data, 25–27forensic analysis, 25–27

Application Server, 10A-SRV. See Application ServerAsset Database, 19

Ccapabilities, 9–10certification, 39classes, 39Collector, 10compliance reports, 33components, 10–11context-sensitive Help, 35correlation rules

described, 22updates, 38

Customer Support, 6, 39

Ddata flow, 11Database Server, 10deployment assistance, 39deployments, 11–12documentation, 36–37D-SRV. See Database Server

Eevent collection

Collector, 10event sources, 15Internet Protocol Database, 17message categories, 15–16

Event Explorerdata analysis, 26–27described, 11GUI, 14Help, 35–36interface, 14

Event Source Updates, 38event sources

described, 15list, 36–37updates, 38

event storage, 17

Fforensic analysis, 25–27functions, 9–10

GGUI

enVision, 13Event Explorer, 14

HHelp, 35–36help desk, 6, 39historical data, examining, 25–27

Iincidents, 21interface

enVision, 13Event Explorer, 14

Internet Protocol Database, 17IPDB. See Internet Protocol Database

Kknowledge base, 36–37

Mmessages

categories, 15–16storage, 17

Ooutsourcing security, 39

Index 47


Pprofessional services, 39

Qqueries, 30–31

Rreal-time alerts, 21reports

compliance reports, 33described, 29–30updates, 38

RSA partners, 39RSA Professional Services, 39RSA SecurCare Online, 36–37RSA web site, 36rules

described, 22updates, 38

SSecurCare Online, 36–37security strategy assistance, 39sites, 11–12support, technical, 6, 39

Ttask management, 24

tasksdescribed, 24managing, 24monitoring, 25

technical support, 6, 39training, 39

Uupdates, 38

VVAM. See Vulnerability and Asset

ManagementVDB. See Vulnerability Knowledge

Databaseviews, 21Vulnerability and Asset Management

Asset Database, 19described, 19IDS and IPS, 20updates, 38VAM & Signature Updates, 38VAM event sources, 20Vulnerability Knowledge Database, 20

Vulnerability Knowledge Database, 20

Wweb site, 36

48 Index

EnVision Overview Guide

Documents

Transcript of EnVision Overview Guide