Solution Brief

RSA SecuRity incident MAnAgeMentenabling next generation Security Operations

page 2

enABling next geneRAtiOn SecuRity OpeRAtiOnS

the need for Advanced Security Operations is becoming more and more prevalent in

today’s information centric business world. the strategic value of an information security

function within the organization that can detect, respond and protect company assets

effectively and efficiently is critical to that organization’s success. RSA has developed a

wide range of technologies and expertise to help organizations implement advanced

security operations. From strong authentication to data encryption to infrastructure

security management, RSA’s products deliver sophisticated answers to today’s complex

threats.

A fundamental starting point in building critical advanced security operations is the

capability of the organization to identify, investigate and resolve security incidents.

Before an organization can truly get in front of the risks and threats to their infrastructure,

it must manage the most pressing and immediate issues. Security incident Management

is the process within security operations that must first be tackled before more

sophisticated capabilities can be achieved.

The Need for Advanced Security Incident Management

the reasons for maturing an organization’s security incident

management function are many:

– Advanced persistent threats (Apts) have become a reality for companies in all

industries. these targeted attacks can come from a myriad of sources and involve

sophisticated approaches that require unprecedented vigilance.

– today’s business depends on technology infrastructure that is often distributed across a

wide expanse – both physical and virtual environments. cloud computing, virtualization

and mobile work forces are just a few examples of the “hyper-extended enterprise” – an

organization with a disappearing physical and logical boundary.

– Managing security incidents is not just a fundamental need for security itself, but is

driven by both internal and external compliance requirements as well. it is not just

enough to identify the events, global laws and industry regulations demand that security

events must be investigated and resolved.

– Finally, business criticality must drive prioritization. there are simply too many events

and too little resources to chase everything that appears on the radar screen.

Organizations can quickly exhaust their security resources hunting down false positives

or tracking issues that, in the end, are just not business critical.

to bring security operations into the next generation, the organization must have an

intelligent, comprehensive strategy for Security incident Management.

An integRAted SOlutiOn

the RSA Security incident Management Solution is an integrated set of security tools that

accelerate the identification, prioritization, investigation and resolution of security

incidents. the solution includes the RSA enVision security incident and event

management (SieM) platform, for collecting and analyzing log and event data to quickly

identify high priority security incidents as they occur. Once the critical events within the

infrastructure are identified, RSA Archer incident Management then enables the security

function to manage the complete investigation and resolution of the incident.

integration between the two products allows security analysts to utilize enVision event

data and the information from the RSA Archer egRc platform to add business context to

the incident for quicker prioritization. the end result is the efficient and effective

investigation and remediation of the security incident.

An integrated platform

for managing all security

incidents with a solution

relevant to the entire

security function from the

analyst to the ciSO.

page 3

the blend of a SieM infrastructure and a governance, risk and compliance (gRc) platform

is an unprecedented solution in the market. unlike other gRc vendors, the solution

brings real-time event data into the key risk and compliance process of security incident

management. combining the business information within the gRc platform with the event

data in the SieM infrastructure brings extraordinary dimension to the log and system

data. Finally, the empirical data provided by the security incident management process

greatly improves the overall view of the compliance and security risks in the organization.

the RSA enViSiOn plAtFORM

With enVision technology, your security operations team has a true SieM solution for

addressing their network security management challenges. Security and it administrators

can interrogate the full volume of stored data through an intuitive dashboard. Advanced

analytical software turns unstructured raw data into valuable business information, giving

administrators actionable insights to help simplify compliance, enhance security and

optimize it and security operations.

Administrators can automatically collect log data about their network and security

infrastructure, as well as file, application, and user activity, helping to simplify the event

management process. Over 1400 reports and policies are included and tailored to

today’s specific compliance requirements and industry regulations. enVision stores all

log data without filtration or normalization and protects it from tampering, providing a

verifiably authentic source of archived data.

With real-time security event alerts, monitoring and drill-down forensic functionality,

enVision gives administrators a clear view and understanding of the threats and risks to

the infrastructure and applications so they can take more effective actions to mitigate

those risks. it support staff can use the RSA enVision platform to track and manage

activity logs for servers, networking equipment, and storage platforms, as well as monitor

network assets and the availability and status of users, hardware, and business

applications. enVision provides an intelligent forensic tool for troubleshooting

infrastructure problems and protecting infrastructure resources, providing granular

visibility into specific behaviors by end-users to more efficiently and effectively manage

your business critical resources and security and operations teams.

RSA ARcheR incident MAnAgeMent

RSA Archer incident Management streamlines the complete case management lifecycle

for security incidents. this web-based solution allows you to document security

incidents, evaluate incident criticality, and assign response team members based on

business impact and regulatory requirements. you can also consolidate response

procedures and manage security investigations.

A robust reporting engine allows you to report on trends, losses, recovery efforts and

related issues. RSA Archer incident Management allows organizations to effectively

handle security incidents that occur anywhere business is done, from detection through

analysis and resolution. the solution enables limiting access to incident data to only

those individuals directly involved in investigation, resolution and analysis. Advanced

features such as automated e-mail notifications and workflow support a robust process

that can meet any organization’s security incident response needs.

the solution also allows management to improve their risk management abilities by

delivering a detailed incident history and audit trail. dashboards and reports provide

insight into the actual risks and threats within the operations to make informed business

decisions. historical data can illustrate how incidents impact your business units,

facilities, personnel, technology infrastructure and vendor relationships.

RSA Archer eGRC Platform

“the RSA Security incident

Management solution

enables me to implement

a comprehensive security

incident management

program to react to

threats to my business

while optimizing resource

effectiveness.”

Senior VP of information Security, financial SerViceS client

www.rsa.com

©2011 eMc corporation. eMc2, eMc, RSA, enVision, Archer and the RSA logo are either registered trademarks or

trademarks of eMc corporation in the united States and/or other countries. All other products or services

mentioned are trademarks of their respective companies.

SiMegRc SB 0311

underpinning this entire process is the RSA Archer egRc platform. Security incident

management requires business information to correctly prioritize and manage the risk

associated with each incident. information such as the relationship of business

processes and the devices impacted by the incident provide the context around the

incident and help admistrators to make the right decisions. the RSA Archer egRc platform

includes a complete enterprise Management module to document company assets – from

individual devices up to business products and services. this catalog of assets clarifies

the true impact of any security incident by giving real business context to the incident

analysis process.

Why chOOSe RSA SecuRity incident MAnAgeMent

the RSA Security incident Management solution addresses the massive overload of event

data across the infrastructure, helping you to utilize resources appropriately to manage

the security incidents that most impact your business. By meeting both compliance and

risk requirements, the solution enables a fundamental process within security

operations. in addition to the technical solution, RSA also offers a comprehensive

portfolio of services to leverage your investment in RSA products and to ensure that your

incident Management Solution is deployed effectively, optimizing the time-to-benefit.

improving security incident management capability reduces risks across the

infrastructure, reduces the time and effort required to respond to security events and

improves visibility for the it and security management teams, helping them to meet

today’s complex threat universe.

RSA SecuRity incident MAnAgeMent SOlutiOn

– centralizes event management and

consolidates the data into

actionable information

– Allows you to identify critical events

through alerts and event correlation

rules

– combines event and business asset

data for prioritization and analysis

– enables a complete incident lifecycle

from identification to resolution

– gives management visibility into

operational incidents to make better

business and risk decisions.

Security incident management in action

1. events occur on critical

systems indicating a

potential security breach.

2. RSA enVision platform

collects the events for

immediate triage and

reporting.

3. Based on event Rules, an alert is

triggered and security administrators

are notified. the RSA connector

Framework automatically creates an

incident in RSA Archer incident

Management associating the specific

event data to the incident.

4. Security administrators use RSA Archer incident

Management along with information from the RSA

Archer egRc platform to assess the situation. An

investigation is initiated and the incident is tracked

and resolved.

5. the ciSO has

complete visibility

through the entire

process via

dashboards and

reporting.

RSA enVision

RSA Connector Framework

RSA Archer Incident Management

RSA Archer Enterprise Management