This article can also be found in the Premium Editorial Download "Information Security magazine: Everything you need to know about today's information security trends."
Download it now to read this article plus other related content.
That nuisance aside, the Event Explorer interface is clean and extremely powerful. Building rules to trigger alarms based on various parameters, and creating special "watch lists" and other customizations is quite easy. The documentation and help mechanisms gave us any additional insight we required. Watch lists are a way to filter events based on certain strings and lists of like values. We were impressed with the level of drill-down detail on the one hand, and the ease of understanding that the reporting engine and high level reports provided for upper management on the other (a real time-saver for administrators).
Our only real complaint is that the GUI does not adhere to normal Windows shortcut standards. For example, one of the most annoying problems we encountered was that instead of refreshing the screen, the F5 key would silently end our session and log us out. RSA should update the key maps to adhere to Windows conventions.
EnVision's real power is in its ability to perform complex correlation and alerting. The correlation engine does a great job of helping administrators identify important alerts, so organizations don't waste time and money assigning resources and people to investigate false positives. Once you learn to trust the tool's analyses, your event management practices should improve in a serious way.
We were easily able to drill down, analyze and identify events that related to each other and formed the basis of a serious compromise attempt, while sorting out the normal noise.
We were impressed with the ease of integrating into the product database logs and other event sources, such as firewall, IDS/IPS and alternative operating systems. We were pleasantly surprised at how easy it was to create effective monitoring for an average e-commerce website installation that we modeled in our lab. It took our team less than four hours to establish a comprehensive view of the site and be able to effectively monitor the security and events.
Reports, which are created through an easy-to-use interface, can be run ad hoc or scheduled. Report generation is fairly straightforward, with a number of built-in reporting packages available, including SOX, PCI DSS, HIPAA, GLBA and SAS 70.
EnVision is quick to install, easy to configure, and will bring most organizations a deeper, more complete view of their environments.
Testing methodology: The lab consisted of multiple machines, with focus in the Windows environment. Data was generated by a utility provided by RSA, and multiple syslog devices within the lab.
This was first published in July 2008