Skip navigation
All Places > Products > RSA enVision > Blog

RSA enVision

6 posts

One of the key themes of the upcoming RSA Global Summit is how best to build up as well as out a security operations center (SOC).  This is not an easy task as it requires, more so than any other area of IT or IT security, the seamless marriage of the classic triad of people, processes, and technology.  Once an organization starts to recognize the need for systematic improvement in their incident detection and response, they come to recognize that technology generally is the least hard part of the equation.  In fact the building up and out of an organization’s SOC often coincides with their recognition that there is no such thing as a security “magic box”.  What is needed is a balanced approach where the technology both maximizes the efficiency and effectiveness of the SOC analysts as well as helps drive, prioritize, and maximize the continual processes that make up an organization’s incident detection, investigative, and remediation program.  The bottom line for this blog entry is if you want to engage deeper into this conversation in support of building up and out your organization’s SOC, plan to attend RSA’s Global (user) Summit this September 9-11.

RATs are hard to deal with in part because they are small, scamper around generally unseen, and take your stuff without your knowledge.  Of course anyone in this product community who is reading this knows that I am talking about Remote Access Trojans and not the small mammals with small noses and big tails.  Computer RATs and the people that develop and use them are just as cunning as their furry namesakes, but are perhaps more dangerous.  There are many varieties of RATs out there (Hydraq, LURK, Sogu, Poison Ivy etc..), but in general they share many characteristics, such as they tend to be small and downloaded invisibly, delivered via an email attachment to an unsuspecting and sufficiently socially engineered user, typically enable user monitoring via keyloggers to steal the user’s credentials and other information, take screen shots of the host system for delivery to their master, install/delete software or reformat drives, not to mention “recruit” their hosts and others on the network into botnet armies.  In short, RATs can be extremely valuable to the bad guys and extremely annoying to you and your organization.  But how to detect and get rid of them? If you want to learn more about RATs and how to find and eradicate them from your environment, I encourage you to come and take part in our upcoming (early September in Washington DC) user conference, the RSA Global Summit.  There are two sessions that focus specifically on how to detect RATs, one by using RSA Security Analytics and its network-based visibility (Blind Spot Analysis – Finding RAT Communications Through Entropy and Analytics) and the other how to do it by leveraging RSA ECAT and its endpoint-level visibility (Catching the RAT with ECAT).  Both delivered by off-the-charts experts on the topic. Check out these sessions as well as dozens of others on the Summit registration site.

IT Harvest's Richard Stiennon speaks with RSA's Matthew Gardiner about what incident response means today, why prevention is insufficient, and what capabilities are required to do it better, including the role of a CIRC or SOC.

IT-Harvest's Richard Stiennon speaks with RSA's Christina Jasinski about why traditional SIEM tools can't keep up with today's advanced threats and how RSA Security Analytics can provide the context and analytical capabilities required for incident detection and investigation.

Migrating to Security Analytics (SA) should be approached as an opportunity to improve your security monitoring, threat detection, and investigative capabilities. Many customers begin the migration process without taking the opportunity to revise or improve upon the core components of their SIEM program such as their asset on-boarding policy, what level to log, and importantly, how to detect and respond to potential logs or sets of logs which are likely indicators of compromise.  Not to mention the extra level of visibility that comes with moving to a platform which also leverages full network packet capture and session reconstruction. This blog entry will highlight critical attributes involved in migrations to improve your overall monitoring program, primarily from a log point of view as this is where all RSA enVision customers currently sit.


Improving the visibility requires mature log management. What logs do you need? Are you receiving the right logging levels? Create a spreadsheet first, then list what you currently receive in RSA enVision and at what level. Next, determine what additional logs would provide increased value. Many implementations involve asset lists that appeared in an audit years ago. Revisiting the in-scope log sources should be a quarterly occurrence.  Why collect what you don’t need, while not collecting what you do.


Determining the content (reports & alerts) to migrate has been challenging for many organizations. Traditional SIEM use cases are not as relevant to today’s threat actor’s. Targeted reconnaissance, weaponization, and delivery (think kill chain) of threat actors will bypass most traditional SIEM-based detection approaches. Your Active Directory (AD) could be compromised resulting in the threat actor successfully authenticating and using the VPN to access your organization’s crown jewels. There are no multiple failed logins in this case, so looking for those won’t help your detection efforts


Take the migration from enVision to SA as an opportunity to evaluate how many alerts from your SIEM detected an actual attack or were a precursor event. Evaluate historical attacks for what indicators can be developed into an alert, report, or feed. Discuss this with your asset owners, conduct workshops, and develop new detective approaches to add to your migration. These efforts should lead to a “content migration workbook." What content is targeted to migrate, what is new, and what watchlists need to be turned into SA feeds. Most importantly, for each report or alert designated key stakeholder should be defined. Who cares about each alert or report? And do you have a response procedure to follow when that alert fires?


To properly architect your migration it is critical to define areas such as authentication and authorization, disaster recovery, business continuity, and overall systems sizing. How are my security tool engineers going to authenticate to the underlying operating system, application, and data? What is my acceptable log loss tolerance in the event of a site outage? Each disaster scenario should be carefully evaluated and receive the signoff from the key stakeholders.


Lastly, execute the design and ensure the intelligence, analytics, and business information gets in the right hands. Many organizations have excellent log analysis and alerting, however, they do not get it into the hands of the asset owners or the proper security analysts in timely manner. For example, an alert could indicate that a piece of malware is on a host, and the issue is sent to the help desk for the system to be reimaged without extracting artifacts to analyze and categorize in the organization’s intelligence database. Starting a migration with these principles built-in ahead of time will increase the success rate of your enVision migration – or for that matter any monitoring program.

David Bruskin is an Advisory Consultant with the Advanced Cyber Defense Practice.

The security market in general and the SIEM market in particular have changed.  We can’t go back.  The ever expanding IT surface area and attacker sophistication have seen to that.  Organizations are increasingly recognizing that traditional preventive security controls, especially those that are perimeter and signature-based, are no longer sufficient.  Logically this has led organizations to more closely examine their detective security controls to mitigate the weaknesses with their preventive ones.


Which brings us back to SIEMs in general and RSA enVision in particular.  SIEMs which exclusively depend on logs/events and correlative analysis for visibility and intelligence have a limited security role to play in detecting and investigating today’s most sophisticated attacks.  RSA recognized this trend many years ago and has been investing accordingly ever since.  One of our most key product innovations in response to this was the release of RSA Security Analytics a little more than a year ago.  If you haven’t seen or read about RSA Security Analytics please start to familiarize yourself.  There is no product on the market which compares with the level of visibility and context that it provides to accelerate the detective and investigative work of security analysts or incident responders.


We have been investing heavily in Security Analytics for several years and believe we have a fantastic product, and encourage customers to migrate from enVision to Security Analytics to get:


• A single platform for log & network security monitoring

• Superior real-time & after-the-fact analysis

• Contextual business and IT data, incident response, & endpoint visibility

• Operationalized threat intelligence

• A security platform where compliance is an outcome of security, not the other way around


RSA has extensive support, services, product, and sales resources to help you in this transition.  We thus encourage you to reach out to your RSA Sales or Channel Partner team immediately to have them help you move your SIEM program forward.  We would be happy to take any questions you have as well.  Just “comment” on this blog or open up a new “discussion” in this community.


To learn more about Security Analytics, please check out the product web site:


RSA Security Analytics


To learn about the transition from envision to Security Analytics please check out this video on youtube that was delivered as part of our most recent RSA Summit:


Transitioning From RSA enVision to RSA Security Analytics - YouTube


RSA Security Analytics Summit 2013 Presentations


To see the most current RSA enVision primary support dates check out this page:


RSA enVision Support