Network security breaches are like any other crime scene. The perpetrators leave behind clues that can help network administrators identify and even thwart the activity. Those clues are generated by network devices that diligently log every bit of security-related data. Trouble is, they generate so much data that it’s virtually impossible for network administrators to sift through it all. Security breaches go unsolved or even unnoticed because the evidence is buried in massive log files.

More and more organizations are utilizing centralized security and information event management (SIEM) tools to help them make sense of the high volumes of log and event data generated by network and security devices. SIEM solutions automate the collection, storage and correlation of millions of events from any number of security devices, networks, operating systems, databases and applications to help organizations identify anomalous behavior that may indicate an attack or security breach.

RSA enVision is a state-of-the-art SIEM solution that is engineered to collect, monitor, analyze and report on security event-related activity throughout the IT infrastructure. It is comprehensive, fast, scalable and reliable, enabling organizations to transform event data into actionable intelligence.

"RSA enVision helps us to solve one of our customers’ most perplexing challenges — managing, analyzing and reporting on the proliferation of security event data in order to meet business requirements and regulatory compliance mandates," said Lantz Litchfield, VP of Professional Services for RSA, FusionStorm. “Large organizations can utilize it to manage security and compliance in complex IT environments, and smaller organizations will value the simple deployment and out-of-the-box reporting capabilities. Because it is modular and scalable, it can benefit organizations of all sizes that are looking for an integrated SIEM solution.”

Combine and Conquer

The first SIEM systems were created in the late 1990s to help network administrators make sense of the event logs generated by intrusion detection systems and firewalls. In a typical enterprise, an intrusion detection system can produce more than 500,000 messages per day and firewalls can generate millions of log records a day. Overworked security administrators needed a consolidated, real-time view of system and event logs to see the network’s overall health and better understand if something was compromised or misconfigured — without having to check each device individually.

SIEM systems offer a better way. Software agents running on all monitored devices pipe critical data back to a central server, which watches for such things as misconfigurations, intrusions, out-of-date virus settings or unapplied patches. The RSA enVision platform includes native support for hundreds of routers, switches, servers, applications and other data sources. Second tier, proprietary, and in-house-developed sources can be added through Universal Device Support, which provides a comprehensive toolset for adding and managing new devices.

“To truly secure sensitive network and data assets, organizations must have a complete view of activity surrounding all the data on the network,” said Litchfield. “Complete collection of all event data, including employee activities, access to customer and financial information, and suspect or denied access attempts from outside the network, is key to full security and compliance regulation coverage. The RSA enVision platform is engineered to allow organizations to capture data in real time from thousands of disparate devices and applications across the enterprise. The Universal Device Support feature is built to provide the ability to add message collection from devices and applications in an ad-hoc manner.”

Besides being incredibly time consuming, manual gathering and review often leads to “apples to oranges” comparisons because different products parse events differently. For example, a Cisco router can have more than 6,000 different event signatures, and a Windows host server can have more than 7,000. The RSA enVision platform's rule-based correlation engine combines alerts from multiple devices over specified time periods, events or conditions. It then utilizes a sophisticated taxonomy framework to normalize the data and present everything in a common format to the core analysis engine, which can make an “apples to apples” comparison.

Coping with Compliance

SIEM solutions are also becoming increasingly essential elements of an organization’s regulatory compliance strategy. SIEM systems help organizations fulfill the auditing and reporting aspects of regulations such as Sarbanes Oxley, HIPAA and Gramm Leach Bliley because they demonstrate to auditors the ability to monitor and report on network activity in a repeatable manner. They also demonstrate that logs are being reviewed — or at least that critical events are being brought to someone's attention.

With its scalable data collection and vast view of all the data, the RSA enVision reporting engine is designed to provide quick and easy access to compliance-sensitive data. Built-in reports are available for specific compliance regulations including PCI, SOX, FISMA, GLBA and HIPAA, and organizations can create reports based on their specific compliance policies. The RSA enVision solution is engineered to provide more than 1,100 built-in reports.

“The RSA enVision platform is engineered to collect all the data necessary to effectively and efficiently maximize an organization's security posture and to reduce the burden of compliance,” said Litchfield. “It is designed to give companies an integrated, three-in-one solution for providing comprehensive, reliable log management, simplifying compliance through automated auditing, monitoring, alerting and reporting, and enhancing security and risk mitigation. The RSA enVision platform is also built to be integrated with EMC's network storage offerings, offering customers a cradle-to-grave approach for the management of security compliance log event data.”

Risks associated with sophisticated threats and compliance guidelines mean that organizations must collect, retain and analyze more security data than ever before. RSA enVision gives security teams an automated means to sift through all this data to discover solid clues about the activity within their IT environments.