EMC RSA Security Analytics: SIEM product overview
Expert Karen Scarfone examines EMC RSA Security Analytics, a SIEM product for harvesting, analyzing and reporting on security log data across the enterprise.
EMC RSA Security Analytics is an enterprise security information and event management (SIEM) product. The purpose of a SIEM is to harvest, analyze and report on security log data across an enterprise, including network-based security controls and host operating systems and applications. EMC RSA Security Analytics reviews the security log entries for signs of suspicious activity, and then acts accordingly to report any signs of malicious activity to administrators.
Product versions
EMC RSA Security Analytics is a highly modular product with several major components, including:
- Capture Infrastructure
- Decoders collect and analyze log data and generate associated metadata;
- Concentrators collect metadata from the decoders;
- Brokers, which provide an interface for queries to metadata on multiple concentrators; and
- Analytics servers work in conjunction with a broker to provide a graphical user interface for human users.
- Analysis and Retention Architecture
- Archivers enable archival of old log data and metadata;
- Event stream analyzers correlate events across the log data and metadata; and
- Analytics warehouses provide a big data analysis capability for large sets of data and metadata.
These are available as separate products, and EMC also makes certain combinations of these products available in dedicated appliances. For example, there is an EMC RSA Security Analytics All-In-One appliance that combines a decoder, a concentrator and an analytics server. Another option is an EMC RSA Security Analytics Hybrid, which is similar, but only offers decoder and concentrator functions; a separate analytics server is still needed.
More information on each of the components described above is available here.
Additional security capabilities
EMC RSA Security Analytics offers several additional security capabilities besides the core SIEM functions. For example, it provides support for threat intelligence feeds that are delivered through RSA Live. It can also perform network forensics functions, and EMC RSA Security Analytics is sometimes deployed to complement the capabilities of other SIEM technologies. Lastly, it supplements existing enterprise logging by directly collecting security event data from endpoints and networks.
Reporting capabilities
An important feature provided by most SIEM products is extensive reporting capabilities. EMC RSA Security Analytics comes with nearly 100 reporting templates that provide built-in support for many security compliance initiatives, including the following:
- Federal Information Security Management Act of 2014
- Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act
- International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001/27002, Information Security Management
- North American Electric Reliability Corporation Critical Infrastructure Protection
- Payment Card Industry Data Security Standard
- Sarbanes-Oxley Act
Licensing and pricing
Due to the modularity and complexity of the EMC RSA Security Analytics offerings, it is beyond the scope of this article to provide detailed information on component licensing and pricing. Organizations interested in seeing component options and their pricing should visit the EMC store here.
EMC RSA Security Analytics overview
EMC RSA Security Analytics is a highly scalable and flexible SIEM for large organizations. It offers robust capabilities, including several advanced security features not found in all enterprise SIEM products, as well as a wide range of compliance reporting features. Large enterprises that are seeking a new SIEM product to replace an existing SIEM or complement its capabilities should carefully consider the EMC RSA Security Analytics offering.