RSA Solution Brief

The RSA enVision Platform

A Single, Integrated 3-in-1 Log Management Solution

RSA Solution Brief

The RSA enVision Platform at a Glance

The RSA enVision platform gives organizations a single, integrated 3-in-1 log management solution for simplifying compliance, enhancing security and risk mitigation, and optimizing IT and network operations through the automated collection, analysis, alerting, auditing, reporting and secure storage of all logs.

Collection and Management Records and stores everything that happens on the network, as it happens Is easy to set up, with no agents to be installed on your network Integrates with hundreds of different networked devices, right out of the box Analysis and Alerting The platforms knowledge base learns, grows and adapts to reflect a constantly changing compliance and security landscape Applies actionable intelligence, forensics and reporting to identify critical events and trends for immediate action and resolution Gives a clear and comprehensive overview of overall network activity with real-time monitoring, alerts and understanding of unusual events, tracked against an observed baseline Auditing and Reporting Scales to manage tens-of-thousands of network, security, host, application/ databases and storage devices across multiple geographies Includes more than 1,100 easy to customize built-in reports covering a vast range of user-defined issues, internal security policies and compliance regulations

Storage Stores your data more efficiently and optimizes access whenever information is needed Provides complete, accurate and verifiable storage to meet compliance standards A Proven Solution Provides a scalable, distributed architecture to collect, store, manage, protect and analyze event log data without data loss or corruption, both locally and remotely Is proven to take the cost and complexity out of compliance and security for more than 1,600 customers worldwide From an analyst-recognized leader in security and event management, with a heritage in security and the breadth of management and storage expertise as part of EMC Backed by RSAs expert professional services team to deliver an aggressive ROI and an immediate payoff in improved business continuity and performance.

For more than 1,600 organizations including some of the largest global Fortune 100 enterprises RSA enVision platform technology is crucial to monitoring and enforcing complex and exhaustive security and compliance policies and procedures.
1
RSA Solution Brief

Optimizing IT & Simplifying Compliance Enhancing Security Network Operations

Compliance reports for regulations and internal policy Reporting Auditing

Real-time security alerting and analysis Forensics Alert / correlation

IT monitoring across the infrastructure Network baseline Visibility

Purpose-built database (IPDB)

RSA enVision Log Management platform

Security devices

Network devices

Applications / databases

Servers

Storage

RSA enVision Information Management Platform for Network, Compliance & Security Operations

Total Visibility. Total Control.

In any IP network, almost every device from firewalls to servers generates logs of the traffic it carries, the transactions it makes and the activities it conducts. This data is vital to secure successful use of the network. It helps to optimize security, business continuity and network performance and provides an essential record of all network events and user activity, helping comply with government, industry and internal regulations. But monitoring thousands of devices and then handling and protecting the event log data each device produces covering many thousands of events, every second of every day can be a huge challenge. The RSA enVision platform addresses this challenge and makes it easy for your compliance, security and network professionals to identify, explore and resolve critical events and trends by building a clear and comprehensive picture of network activity.

A 3-in-1 Log Management Solution

The RSA enVision platform gives organizations a single, integrated 3-in-1 log management solution for Simplifying compliance Enhancing security and risk mitigation and Optimizing IT and network operations. It provides automated collection, analysis, alerting, auditing, reporting and secure storage of all logs. It is a proven solution already deployed in more than 1,600 leading organizations worldwide. The RSA enVision platform is a scalable, highavailability solution for security information and event management (SIEM). It is able to capture all the log data on your network, all the time. It continuously records and stores every event log generated by any device on the network, ensuring that each event is complete, accurate and verifiable. It also offers powerful analytical tools to help simplify compliance, enhance security and risk mitigation, and optimize IT and network operations. Quite simply, you gain three solutions in the same box:
RSA Solution Brief

 Compliance auditors have a complete set of authentic and verifiable data to help them meet reporting requirements. Risk-management and security operations staff are better able to protect their network, data and assets empowered by real-time visibility and understanding of suspicious network activity and susceptible network vulnerabilities. IT and network administrators have a record of everything that has happened and is happening in the network as well as insight into what might happen, helping to optimize network performance and guide their activities and investments.

The RSA enVision platform provides a full account of network activity and the means to meet all the compliance demands of access and configuration control, malware detection, policy enforcement, user monitoring and management, and environment and transmission security. It does this by: Efficiently and securely collecting, protecting and storing data exactly as network devices have recorded it, Establishing baselines of activity for the entire network environment to define what constitutes normal activity and detect any deviations from the baseline, Alerting affected parties to deviations from baseline activities and detecting complex patterns of malicious activity across multiple, network, security and storage devices and across multiple host applications, Generating summary and detailed reports for mandated periods of time, using real-time and historic data, Carrying out forensic analysis to correct policies and settings on systems and provide a debug-level view of all changes and the effect they have on the environment, and Establishing incident management tools to closely monitor and correct violations and making sure they are recorded, escalated and corrected in a timely and thorough manner.

Log Management for Simplifying Compliance

All the Evidence You Need to Demonstrate Corporate Responsibility The RSA enVision platform simplifies and streamlines your compliance procedures by collecting all the data that drives your business, storing it in a compliant, protected manner and automatically generating noncompliance alerts against an observed baseline. Armed with this information, you can ensure and prove compliance and give customers and trading partners greater confidence in doing business with you, helping to build your brand. Should the need arise you can call up verifiable crucial evidence to support or contest legal action in cases of wrongful dismissal, breaches of information privacy laws or intellectual property theft. A Complete Record of Activity Whatever the regulatory environment, organizations must have systems in place to capture, collect and protect all their event data. It must be captured across the entire network, be readily accessible for inspection and audit by government and regulatory bodies and stored securely for many years to come, as dictated by the individual regulatory requirements.

RSA Solution Brief

Easy Compliance Assessments The platforms reporting engine provides quick and easy access to and analysis of compliance-sensitive data. Administrators can create their own reports based on your organizations specific compliance policies using an intuitive wizard interface, and they can utilize more than 1,100 built-in graphic and tabular reports covering a vast range of user-defined issues and all the major global compliance regulations, including: Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), US Patriot Act, Gramm-Leach-Bliley Act (GLBA), Basel II, Payment Card Industry (PCI), ISO27001/ISO17799, Federal Information Security Management Act of 2002 (FISMA), California Senate Bill 1386, Statement on Auditing Standard 70 (SAS 70), and Emerging European Union (EU) regulations governing data security, cyber-crime and terrorism. Future-proof Compliance Archival Because it stores complete log records from devices, without filtration or normalization, the RSA enVision platform equips you to respond to future compliance requirements, however unexpected. With storage limited only by physical infrastructure, there is no risk of deleting anything that could one day prove critical to new compliance requirements and you can be certain of being able to verify its accuracy or completeness against any new standard.

Log Management for Enhancing Security and Risk Mitigation

Protecting Your Data, Your Business and Your Reputation Even the toughest perimeter defenses cannot stop all of todays external security threats and they are virtually useless against internal threats. Intruders are becoming increasingly clever and creative in identifying loopholes and exploiting vulnerabilities in network security, often hiding their attacks in ingenious depths of complexity. The RSA enVision platform is the only SIEM solution that can deliver 100% visibility into security threats occurring inside your network and at the perimeter. It does this by aggregating and analyzing all the event log data it collects from switches, routers, security devices, hosts, applications, servers and storage into its database, then processing this raw information quickly to identify and prioritize security insights. Intelligent Baselining The first step toward identifying security issues is to build a picture, or baseline, of the infrastructure as it should look, including which users are accessing which applications, what are common traffic patterns and what kind of devices reside on the network. The RSA enVision platform combines a knowledge base of tens-of-thousands of known log messages with an open classification dictionary (taxonomy). It can learn network patterns over time and automatically establish appropriate baselines to detect anomalies and unusual patterns and track specific groups of devices and events.

Data is stored unchanged, intact and tamperproof, and can be accessed and retrieved for any compliance purpose, now or in the future.

RSA Solution Brief

A Close Watch Through real-time monitoring, the RSA enVision platform gives you a single, complete view of the relationships between events that occur throughout your network. It automatically monitors and helps enforce access controls so that you can see misuse immediately and make users accountable for both privileged and non-privileged access to all network, computing and application components, thereby minimizing the risk from insider threats. It also detects any rogue network services that use open paths through network defenses, allowing you to shut down network access in time to protect your organization from information leaks, privacy breaches and illegal content. In addition it enables you to track the source of potential breaches using watch lists that monitor the network addresses and names of users who target specific services and systems. Early Warning Alerts can be set to trigger whenever established baseline thresholds are exceeded, known offenders become active, unauthorized network access or rogue services are detected, or when a specific custom rule is broken relating to any geography, service or device. The RSA enVision platform correlates this event data against its extensive knowledge base of known vulnerabilities and the assets in your networks. Assisted by the on-board task-triage ticketing system, this helps managers to distinguish serious events from false positives and prioritize resources for events that pose a genuine risk to network and business assets.

Security Reporting The 1,100-plus built-in reports provide extensive tabular and graphical analysis of security-affecting events, helping to enforce access controls for any asset on the network. All reports can be modified, exported and set to cover any time period extremely quickly, enabling prompt action to be taken. Event Explorer The RSA enVision Event Explorer is an advanced analytics module that helps you to dynamically view network behavior across application, firewall, IDS and other types of data, assessing the source, cause and effect of a breach for its risk level, range and severity. Enabled by the ability to conduct real-time and historical forensic investigations, you can drill down into the data, explore it from a variety of perspectives and investigate a range of issues simultaneously with sophisticated querying, filtering, searching and sorting tools. Correlated threat detection helps you to examine and compare patterns of network behavior enterprise-wide, automatically assessing it in terms of vulnerability, risk and threat.

Finding a needle in a haystack the RSA enVision dashboard, real-time alerts and powerful forensic and analytical tools make it quick and easy to dig for evidence and identify and measure unusual activity.

RSA Solution Brief

Security breaches leave a trail of forensic evidence. Event Explorer enables you to trace it back to the source.
Application server

View 1

View 2

View 3

RSA enVision Event Explorer

Remote Collector

Customer B
Data server Application server Windows servers

Data collectors Data server

Application server

Data server Data collectors Windows servers NetScreen Windows firewall workstation Data collectors

Data Center 1
Trend Micro Netapp anti-virus file server Oracle financial Netapp file server Oracle financial

Data Center 2

Customer A

Log Management for Optimizing IT and Network Operations

Cut through the complexity for a clearer view of user activity and network performance. The RSA enVision platform is unique in its ability to collect all the IP activity logs generated on your network, and then, using a revolutionary database technology, powerful correlation capabilities and advanced analytics, transform this mass of unstructured, seemingly unrelated event data into understandable information that details exactly what is happening within the enterprise network and across all the IT systems. RSA enVision appliances can be deployed individually, as a complete, self-contained solution for smaller networks, or as part of a larger distributed architecture that enables the rapid collection of event log data from anywhere on a network, regardless of geographical location or network size. Once collected, this information is key to verifying compliance with regulations and security policies, generating alerts for possible security breaches, mitigating network risk, and analyzing and reporting on network performance. The RSA enVision platform can capture, analyze and manage events from the entire network infrastructure out-of-the-box, without requiring agents, using event transport protocols, including: Syslog over UDP Syslog over TCP ODBC Windows Agent-less SNARE Agents SNMP Check Point LEA Secure file transfer (including mainframe)

RSA Solution Brief

Optimizing IT and Network Operations IT organizations can leverage the platform to track and manage activity logs for servers, networking equipment and storage platforms, and monitor network assets, availability and the status of people, hardware and business applications. The RSA enVision platform provides an intelligent forensic tool for troubleshooting infrastructure problems and protecting infrastructure resources, and it assists IT managers in help-desk operations and provides granular visibility into specific behaviors by end-users. A Shortcut to Visibility into Your Network Infrastructure Installation of RSA enVision appliances is simple. Individual appliances need only be plugged into a power source and attached to the network for you to be up and running in an hour. For businesses with larger networks, the RSA enVision appliance-based solutions scale easily to cope with the demands that come from collecting, storing and analyzing data in real-time from thousands of network devices which may be distributed across continents as well as countries. The scalable solutions can easily handle the storage demands of hundreds of gigabytes of data, and have the proven ability to collect and process hundreds of thousands of events per second. These solutions are delivered on a standardized, controlled combination of hardware, OS and software; this means that performance levels are predictable, reproducible and guaranteed.

Event log data is collected from all IP devices in the network without having to deploy collecting agents on each IP device meaning that theres no overhead on the device performance and no additional software to manage, maintain and update. All the Data All the Time The RSA enVision platform can collect all the event data, all the time even in the busiest, most dataintensive operations. Data collection devices can be duplicated for high availability, providing immediate fail-over if the primary collector fails. Real-time alerts, reports and statistical analysis are brought together and presented graphically through a dashboard facility, making it easy to watch and understand events as and when they happen.

Real-time Analysis The RSA enVision Internet Protocol Database allocates data to different media depending on its value, archival duration and demands for rapid access, while allowing real-time data analysis.

RSA Solution Brief

Keeping Pace The RSA enVision platform learns as it goes, gathering information into its knowledge base in real time. In this way it builds a clear and comprehensive view of how your network and users operate. The solution automatically sets and updates benchmarks (baselines) for normal activity and uses them to detect any unusual levels of activity and complex patterns of suspicious activity across multiple, disparate devices. Real-time alerts can be set to trigger the moment activity deviates from the baseline. Fast, Intelligent Data Storage At the heart of the platform is the patented RSA enVision LogSmart Internet Protocol Database (IPDB). It enables more data to be captured, managed, stored and analyzed faster than other technologies, while reducing the relative cost of data storage. Data archival and access is optimized using tiered storage across a range of online, near-line and offline systems and media to reflect how often each file needs to be accessed and for how long it must be retained.

Integrity Assured The RSA enVision platform stores event data exactly as it is received; it doesnt normalize the data or modify it in any way. During storage, the appliance renders the data tamperproof using the latest write-once-readmany storage technology. Data cannot be changed, lost or damaged, and specific records can be rapidly and instantly retrieved as users require for reporting, forensic analysis or exploration.

Organizations choose RSA enVision technology because its a single, 3-in-1 integrated solution for simplifying compliance, enhancing security and risk mitigation, and optimizing IT and network operations.

RSA Solution Brief

The RSA enVision Family of Appliances

Why Choose the RSA enVision Platform?

The RSA enVision platform is the market leading SIEM technology platform, able to meet the demands of networks of any size without losing any of the data and ensuring that once data is collected it cannot be edited or changed. Designed to make network monitoring simple, the security-hardened RSA enVision appliances integrate right out of the box with hundreds of different event source types and start gathering information from your infrastructure from the moment you plug them in without the need to install agents on network devices. Once collected, stored and secured, this data is then available to all authorized administrators, providing a common platform for data analysis for all interested parties. For the first time, compliance officers, security officers and IT managers can implement a shared infrastructure that meets their individual needs and provides flexible, customizable reporting on data extracted from a shared, global database.

With best-in-class services products and partnerships, RSA provides a comprehensive solution for Information Risk Management, which is a holistic strategy for mitigating the risks to which information is exposed throughout its lifecycle. The RSA enVision platforms wide range of appliances meets the SIEM needs of many organizations and supports enterprisewide Information Risk Management initiatives. The ES Series of self-contained standalone appliances provides log management for up to 7,500 events per second and up to 1,250 devices. Larger, more complex infrastructures are best served by a distributed, scalable infrastructure combining the LS Series of Data Collectors, Data Servers and Application Servers for greater performance and redundancy. Remote Collectors can also be used to gather data from branch offices or remote overseas locations. Take Action Today From the earliest planning stages through to final deployment, RSA experts can work with you to identify the specific business and compliance requirements that apply in your industry and business, then smoothly deploy the RSA enVision platform that fully addresses your needs for simplifying compliance, enhancing security and risk mitigation, and optimizing IT and network operations. To find out more about how your organization could benefit from the RSA enVsion platform, please contact your local EMC or RSA Sales representative, or visit: www.RSA.com or www. EMC.com.

RSA Solution Brief

RSA Solution Brief

10p

RSA is your trusted partner

RSA, the Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the worlds leading organizations succeed by solving their most complex and sensitive security challenges. RSAs information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, data loss prevention & encryption, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

2008-2009 RSA Security Inc., all rights reserved. RSA, the RSA logo and enVision are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and services mentioned are trademarks of their respective companies.

3IN1 SB 0309