Soft-Tronik Security day 2007

Secure Data, Event and Access management, RSA enVision, RSA SecurIDKarol Piling

Technology consultant

RSA The security division of EMC

On September 18, 2006

EMC completed the acquisition of RSA Security

EMC announced the completed acquisition of Network Intelligence

RSA Security became RSA, The Security Division of EMC

+

+

The Mission of RSA, the Security Division of EMC

Continue investment in – and commitment to – current products, solutions and markets

Drive the information-centric security strategy for EMC which will enable customers to cost-effectively secure critical information assets wherever they live and at every step of the way

Introducing Information-centric Security

In the past, guarding the

perimeter against external threats was sufficient, but…

Infrastructure DataPeople

Transactions

infrastructure DataPeople

Introducing Information-centric Security

partners

customers

employees

Today's organizations are virtual, global, and dynamic

Perimeters fail to protect data as

it moves or repel internal threats

Perimeter-centric security

creates boundaries that hinder new business models

Identity-centric security doesn’t

protect data, prevent data leakage or assure compliance

Introducing Information-centric Security

partners

customers

employees

Information-centric security

binds security directly to information and the people who need it

customers

partners

employees

secure datasecure access

Introducing Information-centric Security

customers

partners

employees

security information management

secure enterprise dataPreserve the confidentiality and integrity of critical data wherever it resides

secure employee accessEnable secure, anytime, anywhere access to corporate resources

secure partner accessOpen internal systems to trusted partners

secure customer accessOffer self-service channels, prevent fraud, and enhance consumer confidence

manage security informationComply with security policy and regulations

RSA SecurID

Vulnerability of Passwords

Compromised security

• Difficult to follow security best practices when password management involves post-it notes, word and excel files

• Passwords easily used by multiple end-users

Poor regulatory compliance

• Difficult to determine if the right person is accessing the requested information

Poor user experience

• End-users often forget their passwords and get locked out of applications

High helpdesk costs

• Average cost per helpdesk call, including lost wages and productivity, is approximately $58/call

Low user productivity

• Time taken away from value-added activities if locked out of system

Two-Factor User Authentication

Something You Have Something You KnowSoftware & Hardware Authenticators (Tokens)

PIN

Biometrics

RSA SecurID

USERID: USERID: USERID: USERID: kpilingkpilingkpilingkpilingPASSCODE:PASSCODE:PASSCODE:PASSCODE:kzw08kzw08kzw08kzw08 032848032848032848032848

PIN TOKENCODE

Token code: Changes

every 60 seconds

Unique 128-bit

seed

Internal

Battery

Clock

synchronised

to GMT / UCT

PASSCODE = +PIN TOKENCODE

RSA SecurIDTime Synchronous Two-Factor Authentication

RSA

Authentication

Manager

RAS,

VPN,

Web Server,

WAP

etc.

RSA Authentication

Agent

SeedTime

Algorithm

SeedTime

032848032848

Algorithm

Same SeedSame Seed

Same TimeSame Time

RSA SecurID – a broad range of form factors today

RSA SecurID Hardware Tokens • Key fob, Standard card, PinPad

• SID700, SID800

RSA SecurID Software Tokens• Windows PC

• Microsoft PocketPC

• Palm Handhelds

• Blackberry Handhelds

• Mobile Phones

Smart Cards

USB Authenticators

SID 800 Authenticator Support

SID 800, SSO, and Smart Card applications

• As a smart card

• Two factor with windows credential or certificate

• Key for unlocking Hard Disk Encryption solutions

• Access to Digital Certificates for secure e-mail, signing, and file encryption needs

• As a SecurID authenticator

• Automatically fulfills passcode requirements for SecurID enabled applications

• Seamless access to VPNs

• Boot and HDD encryption

• Pointsec, Safeboot, Ultimaco, Winmagic ... www.rsasecured.com

What is our Software Token offering?

Desktop Software Token

SecurID Toolbar Token

Mobile Software Tokens• RIM Blackberry

• Microsoft PocketPC 2003

• Palm OS

• Java Phone

• Windows Mobile 5.0

RSA SecurIDAuthentication in Action

RSA Authentication Manager

and

Appliance

Web Access

Citrix

VPN Gateway

WAP/802.11Wireless

Administrative Access

OS/Network Devices

Data Encryption and Boot Protection

Enterprise SSO

Web SSO

Federated Identity Management

An Introduction to RSA enVision

Security Information and Event Management

What our SIEM Solution does

TraceabilityConsolidation

Event Event Event Event Event Event

ReportingMeta Alerting

@

Event EventEvent

Over 800 major enterprise and government accountsMarket Presence

An enterprise platform for compliance & security operationsVision

Patent-pending Internet Protocol Database™ (IPDB)

All the data for compliance and security successTechnology

Technology Partners

- Cisco- Juniper- Nortel- Foundry

- Symantec- ISS- McAfee- Check Point- RSA

- Microsoft- Linux / Unix- Sun / HP- IBM AS400/Main

- MS Exchange- Oracle- MS SQL

- Websense- Bluecoat- Apache- EMC / NetApp

Network Security Operating System Application Other

Accolades“Leader, 3rd Year in a Row”“Only vendor with all the data”

“Excellent”“2005 Appliance bake-off winner”

“Leader”“Largest Market Presence”

RSA enVisionMarket-Proven Leadership

The Enterprise TodayMountains of data, many stakeholders

How do you collect & protect all the data necessary to secure

your network and comply with critical regulations?

Router logs

IDS/IDP logs

VPN logs

Firewall logs

Switch logs

Windows logs

Client & file server logs

Wireless access

logs

Windows domain logins

Oracle Financial Logs

San File Access Logs

VLAN Access & Control logs

DHCP logs

Linux, Unix, Windows OS

logs

Mainframe logs

Database Logs

Web server activity logs

Content management logs

Web cache & proxy logs

VA Scan logs

UnauthorizedService Detection

IP Leakage

Configuration ControlLockdown enforcement

False Positive Reduction

Access Control EnforcementPrivileged User Management

Malicious Code DetectionSpyware detection

Real-Time MonitoringTroubleshooting

User Monitoring

SLA Monitoring

Growth of Enterprise SilosRedundant Information Management

ACCESS

CONTROLSOFTWARE

FINANCIALSOFTWARE

FIREWALLSOPERATING

SYSTEMSWORK-

STATIONSANTIVIRUSSOFTWARE

INTRUSIONPREVENTION

Solution: RSA enVisionAn Information Management Platform…

Compliance Operations Security Operations

Access Control

Configuration Control

Malicious Software

Policy Enforcements

User Monitoring & Management

Environmental & Transmission Security

Access Control Enforcement

SLA Compliance Monitoring

False Positive Reduction

Real-time Monitoring

Unauthorized Network Service Detection

More…

All the Data

Log Management

Any enterprise IP device – Universal Device Support (UDS)

No filtering, normalizing, or data reduction

Security events & operational information

No agents required

Server Engineering Business Ops. Compliance Audit Application & DatabaseNetwork Ops.Risk Mgmt. Security Ops. Desktop Ops.

ReportAlert/Correlation

Incident Mgmt.Log Mgmt.

Asset Ident. Forensics

Baseline

…For Compliance & Security Operations

RSA enVision Protects the Enterprise

eCommerce Operations

Secure operations of all systems and data associated with

eCommerce operations

Internal Systems & Applications

Secure operations of all systems and data associated with internal network services

and applications

Perimeter Network Operations

Securely connect the enterprise to the Internet

and other required corporate entities

RSA enVision

A Framework for Security Operations

Proof of deliveryProof of delivery

Monitor against baselinesMonitor against baselinesSLA Compliance MonitoringSLA Compliance Monitoring

Shutdown rogue servicesShutdown rogue services

Intellectual property leakageIntellectual property leakage

Unauthorized Network Service Unauthorized Network Service DetectionDetection

External threat exposureExternal threat exposure

Internal investigationsInternal investigationsWatchlist EnforcementWatchlist Enforcement

Watch remote network areasWatch remote network areas

Consolidate distributed IDS alertsConsolidate distributed IDS alertsCorrelated Threat DetectionCorrelated Threat Detection

Confirm IDS alertsConfirm IDS alerts

Enable critical alert escalationEnable critical alert escalationFalse Positive ReductionFalse Positive Reduction

Troubleshoot network & security Troubleshoot network & security eventsevents

““What is happening?What is happening?””

RealReal--time Monitoringtime Monitoring

Privileged user monitoringPrivileged user monitoring

Corporate policy conformanceCorporate policy conformanceAccess Control EnforcementAccess Control Enforcement

Inte

rnal S

yste

ms

& A

pp

licatio

ns

eC

om

merc

eO

pera

tion

s

Perim

ete

r N

etw

ork

O

pera

tion

s

= Most critical = Highly desired = Desired

Security Objective

Security Environment

Product

Capabilities

�Log Management

�Asset Identification

�Baseline

�Report & Audit

�Alert

�Forensic Analysis

�Incident Management

Correlation Example – Worm Detection

Correlation Rule Name: W32.Blaster Worm

The goal of this rule is to detect Blaster worm variants as well as other

malicious code by analyzing network traffic patterns.

RSA enVisionFuture-proof compliance solutions

-Lane LeskelaResearch Director

“Companies that

choose individual solutions for each

regulatory challenge they

face will spend 10 times more on

compliance projects than

those that take a

proactive approach.”

RSA enVision

A Framework for Compliance Operations

Environmental & Transmission Environmental & Transmission SecuritySecurity

Policy Policy

EnforcementEnforcement

User Monitoring & User Monitoring & ManagementManagement

Malicious CodeMalicious Code

DetectionDetection

Configuration Configuration

ControlControl

Access Control Access Control EnforcementEnforcement

HIP

AA

Secure data transmissionsSecure data transmissions

Proactive security of the networkProactive security of the network

Verify user activity against policyVerify user activity against policy

Prevent information leakagePrevent information leakage

Monitor user privilegesMonitor user privileges

Enforcement of account policiesEnforcement of account policies

Anomaly monitoring against Anomaly monitoring against baselinesbaselines

Reporting of outbreaksReporting of outbreaks

Change control lockdown Change control lockdown enforcementenforcement

Unapproved software monitoringUnapproved software monitoring

Privileged user monitoringPrivileged user monitoring

Unauthorized user accessUnauthorized user access

GL

BA

BA

SE

L II

FIS

MA

PC

I

Sarb

an

es-

Oxle

y

= Critical to this compliance environment

= Highly desired in compliance environment

Compliance Environment

Compliance ObjectiveProduct

Capabilities

�Log Management

�Asset Identification

�Baseline

�Report & Audit

�Alert

�Forensic Analysis

�Incident Management

Log Management with the LogSmart

®Internet Protocol

Database

�Collect and Protect “All the Data”� Any enterprise IP device

� Security exception events and IT operations information

� No filtering, normalizing, or data reduction

�Enable Compliance and Security Operations� Customizable work environments for compliance and security professionals

� Standard, customizable compliance & security reports / alerts

� Industry leadership Compliance and Security ILM tools

�Minimize Operational Costs� Compressed data store

� Easy to deploy appliance package

� No DBA resources required

� No agents required

The Log Management Checklist

�

�

�

LogSmart®

Internet Protocol Database

No agents requiredFlexible XML UDS engine

Raw logs (95%+ data compression)~70% overall compression

Security event & operations info. No data filtering

Easy to deploy appliance packaging

Parallel architecture ensures alert performance

Customizable work environmentsFully customizable compliance & security reports

• Unpredictable consumption:

collection bottleneck impacts

use of data (e.g. alerts)

RSA enVision and LogSmart IPDBAll the Data™ with Consistently High Performance

Relational Database

Limitations of Relational Database

• Not designed for

unstructured data (log)

• Requires processing

(filter, normalize, parse)

Dat

a Exp

losion

• Data Explosion: indexes &

related data structure information

is added (can result in <10x data)

Data Loss

• Data Loss: events are lost

due to selective collection or

system bottleneck

LogSmart IPDB

Encrypted

Compressed

Parallel analysis

Authenticated

Unpredictable A

lerts

RSA Envision:The LogSmart® IPDB™ Advantage

0

50

100

150

200

250

GBs Per Day

1000 EPS 5000 EPS 10,000 EPS

Events Per Second (EPS)

Data Storage Advantage

RDBMS LogSmart IPDB

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

10,000

(EPS)

System Performance

Collection Rate Advantage

RDBMS LogSmart IPDB

RSA enVision DeploymentScales from a single appliance….

BombayRemote Office

RC

RSA enVision Deployment…To a distributed, enterprise-wide architecture

A-SRV: Analysis ServerD-SRV: Data ServerLC: Local CollectorRC: Remote Collector

NAS

LondonEuropean

Headquarters

D-SRV

LC

LC LC

NAS

New YorkWW Compliance

Operations

A-SRV

D-SRVD-SRV

LCNAS

A-SRV

D-SRV

ChicagoWW SecurityOperations

Industry Leading Scalability

34

18

28

4

30,000

20,000

28,000

4,000

Security

•Configuration Control

•Access Control Enforcement

•Privileged User Monitoring

Compliance & Security

•Real-Time Monitoring

•False Positive Reduction

•Access Control Enforcement

Compliance

•SAS 70 Compliance

Compliance & Security

•Log Management

•Monitoring Firewalls For Audits

MSSP

INTERNAL

Locations Events Devices DriverOrganization

240K/

Sec

20B/

Day

76.8T/

Year

180K/

Sec

15.5B/

Day

5.6T/

Year

450K/

Sec

38.8T/

Day

148T/

Year

80K/

Sec

6.9B/

Day

2.5T/

Year

3 17,000Compliance

•Internal Audit

95K/

Sec

8.2T/

Day

2.9T/

Year

RSA enVisionStand-alone Appliances to Distributed Solutions

EPS

500

1000

2500

5000

10000

30000

# DEVICES

7500

300,000

100 200 400 750 1250 1500 2048 30,000

ES Series

LS Series

Supported Protocols

> Syslog, Syslog NG

> SNMP

> Formatted log files

>Comma/tab/space delimited, other

> ODBC connection to remote databases

> Push/pull XML files via HTTP

> Windows event logging API

> CheckPoint OPSEC interface

> Cisco IDS POP/RDEP/SDEE

> Syslog, Syslog NG

> SNMP

> Formatted log files

>Comma/tab/space delimited, other

> ODBC connection to remote databases

> Push/pull XML files via HTTP

> Windows event logging API

> CheckPoint OPSEC interface

> Cisco IDS POP/RDEP/SDEE

B-2

Network IntelligenceCompliance and Security Operations

Enterprise-wide

Log Management

Platform

Baseline

Reports

Alerts

Forensics

Asset Identification

Incident Management

All theData

ComplianceOperations

Business Operations

Security Operations

Thank you!

Karol Piling – kpiling@rsa.com