rsa security incident management - dell emc germany · pdf filethe rsa security incident...
TRANSCRIPT
Solution Brief
RSA SecuRity incident MAnAgeMentenabling next generation Security Operations
page 2
enABling next geneRAtiOn SecuRity OpeRAtiOnS
the need for Advanced Security Operations is becoming more and more prevalent in
today’s information centric business world. the strategic value of an information security
function within the organization that can detect, respond and protect company assets
effectively and efficiently is critical to that organization’s success. RSA has developed a
wide range of technologies and expertise to help organizations implement advanced
security operations. From strong authentication to data encryption to infrastructure
security management, RSA’s products deliver sophisticated answers to today’s complex
threats.
A fundamental starting point in building critical advanced security operations is the
capability of the organization to identify, investigate and resolve security incidents.
Before an organization can truly get in front of the risks and threats to their infrastructure,
it must manage the most pressing and immediate issues. Security incident Management
is the process within security operations that must first be tackled before more
sophisticated capabilities can be achieved.
The Need for Advanced Security Incident Management
the reasons for maturing an organization’s security incident
management function are many:
– Advanced persistent threats (Apts) have become a reality for companies in all
industries. these targeted attacks can come from a myriad of sources and involve
sophisticated approaches that require unprecedented vigilance.
– today’s business depends on technology infrastructure that is often distributed across a
wide expanse – both physical and virtual environments. cloud computing, virtualization
and mobile work forces are just a few examples of the “hyper-extended enterprise” – an
organization with a disappearing physical and logical boundary.
– Managing security incidents is not just a fundamental need for security itself, but is
driven by both internal and external compliance requirements as well. it is not just
enough to identify the events, global laws and industry regulations demand that security
events must be investigated and resolved.
– Finally, business criticality must drive prioritization. there are simply too many events
and too little resources to chase everything that appears on the radar screen.
Organizations can quickly exhaust their security resources hunting down false positives
or tracking issues that, in the end, are just not business critical.
to bring security operations into the next generation, the organization must have an
intelligent, comprehensive strategy for Security incident Management.
An integRAted SOlutiOn
the RSA Security incident Management Solution is an integrated set of security tools that
accelerate the identification, prioritization, investigation and resolution of security
incidents. the solution includes the RSA enVision security incident and event
management (SieM) platform, for collecting and analyzing log and event data to quickly
identify high priority security incidents as they occur. Once the critical events within the
infrastructure are identified, RSA Archer incident Management then enables the security
function to manage the complete investigation and resolution of the incident.
integration between the two products allows security analysts to utilize enVision event
data and the information from the RSA Archer egRc platform to add business context to
the incident for quicker prioritization. the end result is the efficient and effective
investigation and remediation of the security incident.
An integrated platform
for managing all security
incidents with a solution
relevant to the entire
security function from the
analyst to the ciSO.
page 3
the blend of a SieM infrastructure and a governance, risk and compliance (gRc) platform
is an unprecedented solution in the market. unlike other gRc vendors, the solution
brings real-time event data into the key risk and compliance process of security incident
management. combining the business information within the gRc platform with the event
data in the SieM infrastructure brings extraordinary dimension to the log and system
data. Finally, the empirical data provided by the security incident management process
greatly improves the overall view of the compliance and security risks in the organization.
the RSA enViSiOn plAtFORM
With enVision technology, your security operations team has a true SieM solution for
addressing their network security management challenges. Security and it administrators
can interrogate the full volume of stored data through an intuitive dashboard. Advanced
analytical software turns unstructured raw data into valuable business information, giving
administrators actionable insights to help simplify compliance, enhance security and
optimize it and security operations.
Administrators can automatically collect log data about their network and security
infrastructure, as well as file, application, and user activity, helping to simplify the event
management process. Over 1400 reports and policies are included and tailored to
today’s specific compliance requirements and industry regulations. enVision stores all
log data without filtration or normalization and protects it from tampering, providing a
verifiably authentic source of archived data.
With real-time security event alerts, monitoring and drill-down forensic functionality,
enVision gives administrators a clear view and understanding of the threats and risks to
the infrastructure and applications so they can take more effective actions to mitigate
those risks. it support staff can use the RSA enVision platform to track and manage
activity logs for servers, networking equipment, and storage platforms, as well as monitor
network assets and the availability and status of users, hardware, and business
applications. enVision provides an intelligent forensic tool for troubleshooting
infrastructure problems and protecting infrastructure resources, providing granular
visibility into specific behaviors by end-users to more efficiently and effectively manage
your business critical resources and security and operations teams.
RSA ARcheR incident MAnAgeMent
RSA Archer incident Management streamlines the complete case management lifecycle
for security incidents. this web-based solution allows you to document security
incidents, evaluate incident criticality, and assign response team members based on
business impact and regulatory requirements. you can also consolidate response
procedures and manage security investigations.
A robust reporting engine allows you to report on trends, losses, recovery efforts and
related issues. RSA Archer incident Management allows organizations to effectively
handle security incidents that occur anywhere business is done, from detection through
analysis and resolution. the solution enables limiting access to incident data to only
those individuals directly involved in investigation, resolution and analysis. Advanced
features such as automated e-mail notifications and workflow support a robust process
that can meet any organization’s security incident response needs.
the solution also allows management to improve their risk management abilities by
delivering a detailed incident history and audit trail. dashboards and reports provide
insight into the actual risks and threats within the operations to make informed business
decisions. historical data can illustrate how incidents impact your business units,
facilities, personnel, technology infrastructure and vendor relationships.
RSA Archer eGRC Platform
“the RSA Security incident
Management solution
enables me to implement
a comprehensive security
incident management
program to react to
threats to my business
while optimizing resource
effectiveness.”
Senior VP of information Security, financial SerViceS client
www.rsa.com
©2011 eMc corporation. eMc2, eMc, RSA, enVision, Archer and the RSA logo are either registered trademarks or
trademarks of eMc corporation in the united States and/or other countries. All other products or services
mentioned are trademarks of their respective companies.
SiMegRc SB 0311
underpinning this entire process is the RSA Archer egRc platform. Security incident
management requires business information to correctly prioritize and manage the risk
associated with each incident. information such as the relationship of business
processes and the devices impacted by the incident provide the context around the
incident and help admistrators to make the right decisions. the RSA Archer egRc platform
includes a complete enterprise Management module to document company assets – from
individual devices up to business products and services. this catalog of assets clarifies
the true impact of any security incident by giving real business context to the incident
analysis process.
Why chOOSe RSA SecuRity incident MAnAgeMent
the RSA Security incident Management solution addresses the massive overload of event
data across the infrastructure, helping you to utilize resources appropriately to manage
the security incidents that most impact your business. By meeting both compliance and
risk requirements, the solution enables a fundamental process within security
operations. in addition to the technical solution, RSA also offers a comprehensive
portfolio of services to leverage your investment in RSA products and to ensure that your
incident Management Solution is deployed effectively, optimizing the time-to-benefit.
improving security incident management capability reduces risks across the
infrastructure, reduces the time and effort required to respond to security events and
improves visibility for the it and security management teams, helping them to meet
today’s complex threat universe.
RSA SecuRity incident MAnAgeMent SOlutiOn
– centralizes event management and
consolidates the data into
actionable information
– Allows you to identify critical events
through alerts and event correlation
rules
– combines event and business asset
data for prioritization and analysis
– enables a complete incident lifecycle
from identification to resolution
– gives management visibility into
operational incidents to make better
business and risk decisions.
Security incident management in action
1. events occur on critical
systems indicating a
potential security breach.
2. RSA enVision platform
collects the events for
immediate triage and
reporting.
3. Based on event Rules, an alert is
triggered and security administrators
are notified. the RSA connector
Framework automatically creates an
incident in RSA Archer incident
Management associating the specific
event data to the incident.
4. Security administrators use RSA Archer incident
Management along with information from the RSA
Archer egRc platform to assess the situation. An
investigation is initiated and the incident is tracked
and resolved.
5. the ciSO has
complete visibility
through the entire
process via
dashboards and
reporting.
RSA enVision
RSA Connector Framework
RSA Archer Incident Management
RSA Archer Enterprise Management