soft-tronik security day 2007 - an arrow companyfile/rs… · soft-tronik security day 2007 secure...
TRANSCRIPT
Soft-Tronik Security day 2007
Secure Data, Event and Access management, RSA enVision, RSA SecurIDKarol Piling
Technology consultant
RSA The security division of EMC
On September 18, 2006
EMC completed the acquisition of RSA Security
EMC announced the completed acquisition of Network Intelligence
RSA Security became RSA, The Security Division of EMC
+
+
The Mission of RSA, the Security Division of EMC
Continue investment in – and commitment to – current products, solutions and markets
Drive the information-centric security strategy for EMC which will enable customers to cost-effectively secure critical information assets wherever they live and at every step of the way
Introducing Information-centric Security
In the past, guarding the
perimeter against external threats was sufficient, but…
Infrastructure DataPeople
Transactions
infrastructure DataPeople
Introducing Information-centric Security
partners
customers
employees
Today's organizations are virtual, global, and dynamic
Perimeters fail to protect data as
it moves or repel internal threats
Perimeter-centric security
creates boundaries that hinder new business models
Identity-centric security doesn’t
protect data, prevent data leakage or assure compliance
Introducing Information-centric Security
partners
customers
employees
Information-centric security
binds security directly to information and the people who need it
customers
partners
employees
secure datasecure access
Introducing Information-centric Security
customers
partners
employees
security information management
secure enterprise dataPreserve the confidentiality and integrity of critical data wherever it resides
secure employee accessEnable secure, anytime, anywhere access to corporate resources
secure partner accessOpen internal systems to trusted partners
secure customer accessOffer self-service channels, prevent fraud, and enhance consumer confidence
manage security informationComply with security policy and regulations
RSA SecurID
Vulnerability of Passwords
Compromised security
• Difficult to follow security best practices when password management involves post-it notes, word and excel files
• Passwords easily used by multiple end-users
Poor regulatory compliance
• Difficult to determine if the right person is accessing the requested information
Poor user experience
• End-users often forget their passwords and get locked out of applications
High helpdesk costs
• Average cost per helpdesk call, including lost wages and productivity, is approximately $58/call
Low user productivity
• Time taken away from value-added activities if locked out of system
Two-Factor User Authentication
Something You Have Something You KnowSoftware & Hardware Authenticators (Tokens)
PIN
Biometrics
RSA SecurID
USERID: USERID: USERID: USERID: kpilingkpilingkpilingkpilingPASSCODE:PASSCODE:PASSCODE:PASSCODE:kzw08kzw08kzw08kzw08 032848032848032848032848
PIN TOKENCODE
Token code: Changes
every 60 seconds
Unique 128-bit
seed
Internal
Battery
Clock
synchronised
to GMT / UCT
PASSCODE = +PIN TOKENCODE
RSA SecurIDTime Synchronous Two-Factor Authentication
RSA
Authentication
Manager
RAS,
VPN,
Web Server,
WAP
etc.
RSA Authentication
Agent
SeedTime
Algorithm
SeedTime
032848032848
Algorithm
Same SeedSame Seed
Same TimeSame Time
RSA SecurID – a broad range of form factors today
RSA SecurID Hardware Tokens • Key fob, Standard card, PinPad
• SID700, SID800
RSA SecurID Software Tokens• Windows PC
• Microsoft PocketPC
• Palm Handhelds
• Blackberry Handhelds
• Mobile Phones
Smart Cards
USB Authenticators
SID 800 Authenticator Support
SID 800, SSO, and Smart Card applications
• As a smart card
• Two factor with windows credential or certificate
• Key for unlocking Hard Disk Encryption solutions
• Access to Digital Certificates for secure e-mail, signing, and file encryption needs
• As a SecurID authenticator
• Automatically fulfills passcode requirements for SecurID enabled applications
• Seamless access to VPNs
• Boot and HDD encryption
• Pointsec, Safeboot, Ultimaco, Winmagic ... www.rsasecured.com
What is our Software Token offering?
Desktop Software Token
SecurID Toolbar Token
Mobile Software Tokens• RIM Blackberry
• Microsoft PocketPC 2003
• Palm OS
• Java Phone
• Windows Mobile 5.0
RSA SecurIDAuthentication in Action
RSA Authentication Manager
and
Appliance
Web Access
Citrix
VPN Gateway
WAP/802.11Wireless
Administrative Access
OS/Network Devices
Data Encryption and Boot Protection
Enterprise SSO
Web SSO
Federated Identity Management
An Introduction to RSA enVision
Security Information and Event Management
What our SIEM Solution does
TraceabilityConsolidation
Event Event Event Event Event Event
ReportingMeta Alerting
@
Event EventEvent
Over 800 major enterprise and government accountsMarket Presence
An enterprise platform for compliance & security operationsVision
Patent-pending Internet Protocol Database™ (IPDB)
All the data for compliance and security successTechnology
Technology Partners
- Cisco- Juniper- Nortel- Foundry
- Symantec- ISS- McAfee- Check Point- RSA
- Microsoft- Linux / Unix- Sun / HP- IBM AS400/Main
- MS Exchange- Oracle- MS SQL
- Websense- Bluecoat- Apache- EMC / NetApp
Network Security Operating System Application Other
Accolades“Leader, 3rd Year in a Row”“Only vendor with all the data”
“Excellent”“2005 Appliance bake-off winner”
“Leader”“Largest Market Presence”
RSA enVisionMarket-Proven Leadership
The Enterprise TodayMountains of data, many stakeholders
How do you collect & protect all the data necessary to secure
your network and comply with critical regulations?
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Switch logs
Windows logs
Client & file server logs
Wireless access
logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control logs
DHCP logs
Linux, Unix, Windows OS
logs
Mainframe logs
Database Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
UnauthorizedService Detection
IP Leakage
Configuration ControlLockdown enforcement
False Positive Reduction
Access Control EnforcementPrivileged User Management
Malicious Code DetectionSpyware detection
Real-Time MonitoringTroubleshooting
User Monitoring
SLA Monitoring
Growth of Enterprise SilosRedundant Information Management
ACCESS
CONTROLSOFTWARE
FINANCIALSOFTWARE
FIREWALLSOPERATING
SYSTEMSWORK-
STATIONSANTIVIRUSSOFTWARE
INTRUSIONPREVENTION
Solution: RSA enVisionAn Information Management Platform…
Compliance Operations Security Operations
Access Control
Configuration Control
Malicious Software
Policy Enforcements
User Monitoring & Management
Environmental & Transmission Security
Access Control Enforcement
SLA Compliance Monitoring
False Positive Reduction
Real-time Monitoring
Unauthorized Network Service Detection
More…
All the Data
Log Management
Any enterprise IP device – Universal Device Support (UDS)
No filtering, normalizing, or data reduction
Security events & operational information
No agents required
Server Engineering Business Ops. Compliance Audit Application & DatabaseNetwork Ops.Risk Mgmt. Security Ops. Desktop Ops.
ReportAlert/Correlation
Incident Mgmt.Log Mgmt.
Asset Ident. Forensics
Baseline
…For Compliance & Security Operations
RSA enVision Protects the Enterprise
eCommerce Operations
Secure operations of all systems and data associated with
eCommerce operations
Internal Systems & Applications
Secure operations of all systems and data associated with internal network services
and applications
Perimeter Network Operations
Securely connect the enterprise to the Internet
and other required corporate entities
RSA enVision
A Framework for Security Operations
Proof of deliveryProof of delivery
Monitor against baselinesMonitor against baselinesSLA Compliance MonitoringSLA Compliance Monitoring
Shutdown rogue servicesShutdown rogue services
Intellectual property leakageIntellectual property leakage
Unauthorized Network Service Unauthorized Network Service DetectionDetection
External threat exposureExternal threat exposure
Internal investigationsInternal investigationsWatchlist EnforcementWatchlist Enforcement
Watch remote network areasWatch remote network areas
Consolidate distributed IDS alertsConsolidate distributed IDS alertsCorrelated Threat DetectionCorrelated Threat Detection
Confirm IDS alertsConfirm IDS alerts
Enable critical alert escalationEnable critical alert escalationFalse Positive ReductionFalse Positive Reduction
Troubleshoot network & security Troubleshoot network & security eventsevents
““What is happening?What is happening?””
RealReal--time Monitoringtime Monitoring
Privileged user monitoringPrivileged user monitoring
Corporate policy conformanceCorporate policy conformanceAccess Control EnforcementAccess Control Enforcement
Inte
rnal S
yste
ms
& A
pp
licatio
ns
eC
om
merc
eO
pera
tion
s
Perim
ete
r N
etw
ork
O
pera
tion
s
= Most critical = Highly desired = Desired
Security Objective
Security Environment
Product
Capabilities
�Log Management
�Asset Identification
�Baseline
�Report & Audit
�Alert
�Forensic Analysis
�Incident Management
Correlation Example – Worm Detection
Correlation Rule Name: W32.Blaster Worm
The goal of this rule is to detect Blaster worm variants as well as other
malicious code by analyzing network traffic patterns.
RSA enVisionFuture-proof compliance solutions
-Lane LeskelaResearch Director
“Companies that
choose individual solutions for each
regulatory challenge they
face will spend 10 times more on
compliance projects than
those that take a
proactive approach.”
RSA enVision
A Framework for Compliance Operations
Environmental & Transmission Environmental & Transmission SecuritySecurity
Policy Policy
EnforcementEnforcement
User Monitoring & User Monitoring & ManagementManagement
Malicious CodeMalicious Code
DetectionDetection
Configuration Configuration
ControlControl
Access Control Access Control EnforcementEnforcement
HIP
AA
Secure data transmissionsSecure data transmissions
Proactive security of the networkProactive security of the network
Verify user activity against policyVerify user activity against policy
Prevent information leakagePrevent information leakage
Monitor user privilegesMonitor user privileges
Enforcement of account policiesEnforcement of account policies
Anomaly monitoring against Anomaly monitoring against baselinesbaselines
Reporting of outbreaksReporting of outbreaks
Change control lockdown Change control lockdown enforcementenforcement
Unapproved software monitoringUnapproved software monitoring
Privileged user monitoringPrivileged user monitoring
Unauthorized user accessUnauthorized user access
GL
BA
BA
SE
L II
FIS
MA
PC
I
Sarb
an
es-
Oxle
y
= Critical to this compliance environment
= Highly desired in compliance environment
Compliance Environment
Compliance ObjectiveProduct
Capabilities
�Log Management
�Asset Identification
�Baseline
�Report & Audit
�Alert
�Forensic Analysis
�Incident Management
Log Management with the LogSmart
®Internet Protocol
Database
�Collect and Protect “All the Data”� Any enterprise IP device
� Security exception events and IT operations information
� No filtering, normalizing, or data reduction
�Enable Compliance and Security Operations� Customizable work environments for compliance and security professionals
� Standard, customizable compliance & security reports / alerts
� Industry leadership Compliance and Security ILM tools
�Minimize Operational Costs� Compressed data store
� Easy to deploy appliance package
� No DBA resources required
� No agents required
The Log Management Checklist
�
�
�
LogSmart®
Internet Protocol Database
No agents requiredFlexible XML UDS engine
Raw logs (95%+ data compression)~70% overall compression
Security event & operations info. No data filtering
Easy to deploy appliance packaging
Parallel architecture ensures alert performance
Customizable work environmentsFully customizable compliance & security reports
• Unpredictable consumption:
collection bottleneck impacts
use of data (e.g. alerts)
RSA enVision and LogSmart IPDBAll the Data™ with Consistently High Performance
Relational Database
Limitations of Relational Database
• Not designed for
unstructured data (log)
• Requires processing
(filter, normalize, parse)
Dat
a Exp
losion
• Data Explosion: indexes &
related data structure information
is added (can result in <10x data)
Data Loss
• Data Loss: events are lost
due to selective collection or
system bottleneck
LogSmart IPDB
Encrypted
Compressed
Parallel analysis
Authenticated
Unpredictable A
lerts
RSA Envision:The LogSmart® IPDB™ Advantage
0
50
100
150
200
250
GBs Per Day
1000 EPS 5000 EPS 10,000 EPS
Events Per Second (EPS)
Data Storage Advantage
RDBMS LogSmart IPDB
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
10,000
(EPS)
System Performance
Collection Rate Advantage
RDBMS LogSmart IPDB
RSA enVision DeploymentScales from a single appliance….
BombayRemote Office
RC
RSA enVision Deployment…To a distributed, enterprise-wide architecture
A-SRV: Analysis ServerD-SRV: Data ServerLC: Local CollectorRC: Remote Collector
NAS
LondonEuropean
Headquarters
D-SRV
LC
LC LC
NAS
New YorkWW Compliance
Operations
A-SRV
D-SRVD-SRV
LCNAS
A-SRV
D-SRV
ChicagoWW SecurityOperations
Industry Leading Scalability
34
18
28
4
30,000
20,000
28,000
4,000
Security
•Configuration Control
•Access Control Enforcement
•Privileged User Monitoring
Compliance & Security
•Real-Time Monitoring
•False Positive Reduction
•Access Control Enforcement
Compliance
•SAS 70 Compliance
Compliance & Security
•Log Management
•Monitoring Firewalls For Audits
MSSP
INTERNAL
Locations Events Devices DriverOrganization
240K/
Sec
20B/
Day
76.8T/
Year
180K/
Sec
15.5B/
Day
5.6T/
Year
450K/
Sec
38.8T/
Day
148T/
Year
80K/
Sec
6.9B/
Day
2.5T/
Year
3 17,000Compliance
•Internal Audit
95K/
Sec
8.2T/
Day
2.9T/
Year
RSA enVisionStand-alone Appliances to Distributed Solutions
EPS
500
1000
2500
5000
10000
30000
# DEVICES
7500
300,000
100 200 400 750 1250 1500 2048 30,000
ES Series
LS Series
Supported Protocols
> Syslog, Syslog NG
> SNMP
> Formatted log files
>Comma/tab/space delimited, other
> ODBC connection to remote databases
> Push/pull XML files via HTTP
> Windows event logging API
> CheckPoint OPSEC interface
> Cisco IDS POP/RDEP/SDEE
> Syslog, Syslog NG
> SNMP
> Formatted log files
>Comma/tab/space delimited, other
> ODBC connection to remote databases
> Push/pull XML files via HTTP
> Windows event logging API
> CheckPoint OPSEC interface
> Cisco IDS POP/RDEP/SDEE
B-2
Network IntelligenceCompliance and Security Operations
Enterprise-wide
Log Management
Platform
Baseline
Reports
Alerts
Forensics
Asset Identification
Incident Management
All theData
ComplianceOperations
Business Operations
Security Operations
Thank you!
Karol Piling – [email protected]