Published: 17 Jul 2008
EnVision is a powerful and manageable tool that enterprises can easily leverage to reduce the resource requirements of the security team for event analysis, incident handling and baseline compliance reporting.
It possesses a strong mechanism for gathering data from myriad devices and applications around the enterprise and performing parallel processing, correlation and analysis.
Software configuration was a snap, and RSA includes onsite time with its engineers as part of the sale.
Configuration and log delivery mechanisms are typical of this type of tool. Any system or network administrator with a modest level of experience should be able to get enVision working with any device or application in the enterprise.
We had no problems setting up a variety of platforms and applications in our lab.
The appliance is well equipped with RAID, multiple power supplies and powerful cooling units. It's a bit louder than some server devices we have tested in the same size range, but this is trivial once it's installed in your network room.
That nuisance aside, the Event Explorer interface is clean and extremely powerful. Building rules to trigger alarms based on various parameters, and creating special "watch lists" and other customizations is quite easy. The documentation and help mechanisms gave us any additional insight we required. Watch lists are a way to filter events based on certain strings and lists of like values. We were impressed with the level of drill-down detail on the one hand, and the ease of understanding that the reporting engine and high level reports provided for upper management on the other (a real time-saver for administrators).
Our only real complaint is that the GUI does not adhere to normal Windows shortcut standards. For example, one of the most annoying problems we encountered was that instead of refreshing the screen, the F5 key would silently end our session and log us out. RSA should update the key maps to adhere to Windows conventions.
EnVision's real power is in its ability to perform complex correlation and alerting. The correlation engine does a great job of helping administrators identify important alerts, so organizations don't waste time and money assigning resources and people to investigate false positives. Once you learn to trust the tool's analyses, your event management practices should improve in a serious way.
We were easily able to drill down, analyze and identify events that related to each other and formed the basis of a serious compromise attempt, while sorting out the normal noise.
We were impressed with the ease of integrating into the product database logs and other event sources, such as firewall, IDS/IPS and alternative operating systems. We were pleasantly surprised at how easy it was to create effective monitoring for an average e-commerce website installation that we modeled in our lab. It took our team less than four hours to establish a comprehensive view of the site and be able to effectively monitor the security and events.
Reports, which are created through an easy-to-use interface, can be run ad hoc or scheduled. Report generation is fairly straightforward, with a number of built-in reporting packages available, including SOX, PCI DSS, HIPAA, GLBA and SAS 70.
EnVision is quick to install, easy to configure, and will bring most organizations a deeper, more complete view of their environments.
Testing methodology: The lab consisted of multiple machines, with focus in the Windows environment. Data was generated by a utility provided by RSA, and multiple syslog devices within the lab.