RSA Cracks Down on Security Threats with enVision 4.0
March 10, 2009 Alex Woodie
RSA yesterday unveiled a new version of its security information and event management (SIEM) software, enVision 4.0. With the new release, the EMC subsidiary has introduced several new features aimed at making it easier to correlate and make sense of the security-related log and vulnerability data that is inundating organizations. And in a bid to show enVision is not just for big enterprises, RSA unveiled two new appliances for medium size companies.
RSA bills enVision, which it obtained with its 2006 acquisition of Network Intelligence, as a three-in-one SIEM platform aimed at solving the three interrelated problems of network visibility, regulatory compliance, and security. With more than 1,600 customers, enVision is certainly one of the most highly visible SIEM platforms on the market. And with its capability to gather and correlate pertinent log data from hundreds of pieces of equipment commonly found in datacenters–including IBM System i servers–the product should be on the research list of any enterprise IT administrator in the market for a SIEM solution.
As is the case with most IT security products, enVision’s goal is a moving target. Security administrators must continually adapt to changing conditions as new security vulnerabilities are revealed and the hacking techniques of for-profit cyber criminals evolve to take advantage of those vulnerabilities. As the main control panel for achieving an enterprise-wide view of an organization’s security posture, SIEM products are under an enormous amount of pressure to adapt to new security threats while trying to keep administrators from becoming overburdened with data and decision making.
In other words, continuous automation is the name of the game in the SIEM world, and RSA strives to deliver that with enVision 4.0.
For starters, enVision now hooks into configuration management database (CMDB) products, such as EMC’s own Voyence Control, and vulnerability scanners to get the most accurate and up-to-date list of assets, so that it can map the products to current threats. Hooking into CMDBs and vulnerability scanners “vastly improved our ability to add context to the log data we’re gathering,” RSA’s Paul Stamp says in a blog posting.
enVision 4.0 also delivers better alerting capabilities to notify analysts when high risk vulnerabilities are discovered, and also brings improved correlation rules that should be easier for customers to customize for their specific environment. Many of these rules were developed by RSA partner Assurent, Stamp writes. “Not only are the rules top-notch, but they come with a whole set of background information about what the rules mean, how to tailor them to your environment, and what to do when they fire.”
And when a security incident does occur, enVision 4.0 customers should be more prepared to deal with it, thanks to several new features in the product, including new screens designed specifically for investigating security issues. “We’ve made some big improvements to our Event Explorer interface, which lets you get down and dirty with the detailed event data, and make those ad-hoc forensic queries quicker and easier to perform,” Stamp writes. And with this release, events monitored through enVision can also be hooked into a ticketing system, such as EMC’s Infra system, to close the loop on security incidents.
enVision is sold as an appliance-based solution. With this week’s announcement, two new mid-market appliances have been added to the lineup, including the ES-1260, which supports up to 600 devices and event volumes of up to 1,200 events per second, and the ES-3060, which supports up to 1,200 devices and event volumes of up to 3,000 events per second. These join existing appliances, which can scale up to more than 6,000 devices and handle 30,000 events per second. For more information, visit www.rsa.com.