RSA Solution Brief

RSA Solution BriefStreamlining Security OperationsManagingtheLifecycleofwithRSA DataLossPrevention EncryptionKeysSolutionswithandRSA enVision RSA Key ManagerRSA Solution Brief1

Who is asking for this?A Brief on the Security Operations Center userThe job of Security Operations team, whether in a large organization withdedicated staff and resources, or in a small company with one person assumingmultiple responsibilities, is to keep information assets secure by continuouslymonitoring the organization’s IT environment, anticipating and responding toimmediate threats and long term vulnerabilities and providing advice andguidance on security matters to both senior management and business units.To be effective, security operations professionals must draw on tools that, day inand day out, turn a myriad of real-time events into actionable data. They need anefficient closed-loop process for handling incidents and mitigating risk. They alsoneed the visibility necessary to assess the effectiveness of security policies,processes and resources and the controls necessary to fine-tune them.Drivers for Information DiscoveryThere is a growing shift in IT from perimeter-focused security measures toinformation-centric security. Information is the backbone of business and in anuncertain economy it is more important than ever to focus management efforts onsecuring this information. This is even more apparent when viewed in contrastwith traditional perimeter security measures that have become ineffective andincreasingly expensive to scale with the universal expansion of informationacross an enterprise.One of the key problems that security operations professionals face is the gapbetween business operations’ use of information technology and corporatesecurity policy. This gap and the resulting organizational barriers often maketraditional security measures hard to implement. As a result, security operationsprofessionals are increasingly turning to tools such as Data Loss Prevention (DLP)to identify critical information within the enterprise and Security Information andEvents Management (SIEM) solutions to provide much-needed information riskdiscovery and management.-2RSA Solution Brief

What is the RSA enVision platform?The RSA enVision platform collects, analyzes,correlates and alerts based on log data from all eventsources across the network and IT infrastructure. Italso intelligently combines real-time threat,vulnerability, IT asset and environmental data. Thishelps organizations to respond quickly andthoroughly to high-risk security issues and topinpoint the places where problems are likely toappear. By automating manual processes andincreasing productivity, the RSA enVision platformdelivers increased security while reducing cost.With over 1600 production customers world-wideacross every industry, including 5 of the Fortune 10and 40% of top global banks, the RSA enVisionplatform:– Provides real-time, actionable security informationfor quick and accurate threat detection andalerting by combining event data, asset andvulnerability information. Utilizing intelligentcorrelation capabilities, security professionals canprioritize and focus on the issues that support thebusiness needs.– Improves analyst productivity by streamlining theincident handling process by providing access toreal, empirical data and offering a built-inworkflow – from initial identification andprioritization of an incident to investigation withcontextual information, escalation, resolution,closure and archiving. Security professionals canefficiently and effectively accelerate problemresolution.– Increases the effectiveness of security measures andresources by giving security professionals visibilityinto their enterprise, the status of an incident, thevulnerability and risk of high-priority assets and theuse of security resources. Through comprehensivereporting and easy to use dashboards, securityorganizations can focus staff on high-risk issues andadapt and adjust policies, procedures andinvestments in order to mitigate risk.Optimizing IT &Simplifying ComplianceEnhancing SecurityNetwork OperationsCompliance reportsfor regulations andinternal policyReal-time securityalerting and analysisIT monitoring acrossthe se (IPDB)Security devicesForensicsAlert /correlationNetworkbaselineVisibilityRSA enVision Log Management platformNetwork devicesApplications /databasesServersStorageRSA enVision Information Management Platformfor Network, Compliance & Security OperationsRSA Solution Brief3

content types and classification modules, resultingin very high accuracy ratings. The result is less timerequired to set up and tune policies and fastervalue delivery from the DLP system. RSA DLP scalesacross the enterprise and offers great flexibility,including optional temporary agents and gridscanning. The lowest possible TCO is achieved byleveraging existing customer hardware for DLP andrequiring fewer hours for set-up and ongoingmaintenance.What is RSA Data Loss Prevention?The RSA Data Loss Prevention (DLP) Suite is anintegrated suite of data security products thatprovides a proactive approach to managing yourbusiness risk associated with the loss of sensitivedata. Together, the RSA DLP Datacenter, Network andEndpoint modules, which comprise the DLP Suite,create a comprehensive data loss prevention solutionthat:– Discovers and protects sensitive data in the datacenter, on the network and on the end pointswhile leveraging common policies across theinfrastructure. DLP helps locate sensitive data nomatter where it resides, including file systems,databases, e-mail systems, large SAN/NASenvironments, and end points.Combined Data Loss Prevention andenVision Deployment ScenarioIn order to initially detect and audit sensitive data,the customer first configures policies and contentdetection modules in RSA DLP. The EnterpriseManager module receives events from the DLPcomponents whenever a policy violation is detected.As events are generated, the Enterprise Managerforwards the relevant event and user information tothe enVision platform. The customer uses theenVision platform to collect, correlate, analyze andalert on this information in combination with assetand user information from other sources. Thefeedback from that analysis is used to fine-tune DLPpolicies to ensure sensitive data is stored and usedappropriately.– Mitigates risk through identity aware policy basedremediation and enforcement. RSA DLP leveragesActive Directory Groups on the network and at theend point. Integration with Microsoft RightsManagement Service (RMS) provides groupspecific controls and enables protection beyondthe company’s boundaries.– Reduces total cost of ownership with industryleading scalability, incident handling andworkflow, and a comprehensive policy library. Adedicated information classification and policyresearch team provides finely-tuned policies,DLP DatacenterDashboardDLP EndpointDLP NetworkIncidentsReportsPoliciesEnterprise Manager4RSA Solution BriefAdminRSA Data Loss Prevention SuiteThe RSA DLP Suite gives youinsight into the risk status andtrends of sensitive data in yourenterprise – based on policies –regardless of whether the dataresides in a data center, on anetwork or out at the endpoints.

DLP NetworkEnterpriseManagerDLP DatacenterRSA enVision platformRSA Data Loss PreventionDLP EndpointCombined deployment applies the powerful analysisand correlation features of the RSA enVision platformto the content-aware information discovery providedby RSA Data Loss Prevention. The integration bringsenVision log parsing and reporting to all DLP events,which are forwarded to enVision via syslog by theDLP Enterprise Manager. Beginning with RSA enVision4.0 and RSA Data Loss Prevention 7.0, this capabilityis offered out-of-the-box, with no complex setuprequired in either product. This feature will be offeredto all RSA enVision platform customers via themonthly content update package.suspicious activity with all of the other activity by thesame user. Using the RSA enVision platform withevent input from DLP, the SOC user can quickly gatherall of that user’s information and find a pattern ofactions that, when taken as a whole, could representa much more severe incident than the original alert.For instance, a user sending a financial spreadsheetto a personal e-mail account may generate an alert,but it may become much more serious if the analystdiscovers that same user has also been copyingnumerous other sensitive documents to a personalthumb drive.Use CasesUse Case: Data Movement ForensicsUse Case: Security Incident Impact ClassificationAs the SOC analyst uses the event data from DLP tomake real-time decisions about security breaches, theforensic analyst uses the same data to strengthen aninternal investigation. Incorporating DLP events intothe enVision platform allows an analyst to lookbeyond what data repositories a user had access to.The analyst can now see exactly what types of datathe user could access, how sensitive that data was,and what actions the user took or attempted with thatinformation.A security operations center (SOC) professional hasto monitor and respond to many different types ofsecurity incidents such as malware attacks,vulnerability exploits and access spoofing. Via anintegrated enVision and DLP solution, efficientcorrelation of security and DLP event logs can helpthe analyst quickly determine the severity and impactof a potentially urgent incident. By providing insightinto the type and sensitivity of information involvedin the incident, DLP can help the SOC analyst decidewhen and how to remediate it and assess whatdamage has been done.Use Case: WatchlistingThe SOC user may receive an alert from the enVisionplatform that indicates suspicious user activity butdoes not in itself represent a security breach. In thiscase, the analyst may want to correlate theWhereas previously the analyst could only determinethat a user under investigation had access to a givenSharePoint site, he can now prove that theSharePoint site contained a sensitive customer listthat the user then copied to a USB thumb drive andalso e-mailed to a competitor – all within the sameenVision interface. This level of detailed informationgives the SOC user an unparalleled ability toinvestigate security incidents.RSA Solution Brief5