RSA enVision^® Discussions

davidski, Customer Support has some additional details on this that they'd be happy to share if you want to give them a call.

On the NICP issue, support has very little additional information. I've been working with them for several days and they still can't answer the fundamental question of what the exposure is with the old/current version of the NIC protocol. If anyone has an inside track on what an attacker could do with the old version of the protocol (specifically, is the vuln limited to data exposure or could data be modified or code even run on the enVision cluster), that would be very helpful.

David

David,

Some quick thoughts for you (full disclosure: I'm the PM for Event Explorer):

• You are correct that once you have created an Event Trace in one database (be it external or the in memory one), you cannot move it to another database.  I suppose you could always create a new trace that's exactly the same in a different database.

• Where EE is really helpful on the enrichments is with advanced tables and charts.  If EE has some enVision data in an external DB and you have added other data to that DB (such as geo-location or active directory), you can create an advanced chart that pulls it together.  I'm working on getting samples of this that we can post to the community.

• The process of linking views is pretty easy (just clicking the little icon at the top of each view) - are you asking what types of views to link?  When I've demo'ed this, I've usually shown views with activity broken down by Device Class, Users, Message IDs and Event Categories and linked those.  If your trace view is specific to one device class, you wouldn't really need a breakdown of activity by device class, but perhaps activity by IP address?  Or maybe a chart breaking down the activity by time periods?

Sandy

Sandy,

I appreciate the response. Looking over your comments I get the impression, as I often do these days, that RSA either does not understand its userbase or that I'm attempting to use enVision in a way that is just not appropriate. My team and I only use the advanced tables and charts when we have very particular needs defined. Why? Because trying to work with any sizable data set with EE is so painful as to be impossible.

As an example, take a look at this PDF recently posted on the Citrix blog (pdf). This shows a dashboard that was quickly created for the Citrix NetScaler load balancer platform. We have some of these devices and I attempted to recreate this open source based toolset with my 6-figure enVision solution. The first problem I hit is that 24 hours of data (as displayed by splunk here) is a huge amount of data for me. Even increasing to 300 MB of storage only grabs me a little over three hours of data. Once I pull that down, trying to execute any sort of query in EE is unusably slow (several minutes for a standard chart change to execute). Once a query executes, if I discover a standard chart doesn't work, I have to create a new advanced chart view from scratch.

Linked views is an interesting sounding feature, but without the abilty to query large data sets without pulling gigabytes of traffic down to a local EE client, I don't see how the potential can be realized. If being able to scan the enVision IPDB in realtime was possible, then this drill down feature would be a knock out. As it is, it doesn't sound like it could possibly scale. My team needs to query and analyze large amounts of data for trend analysis, not generate 3D charts.

Again, I'm completely open to the idea that my use cases for EE/enVision are completely wrong. I'm just stumped with how to explain the lack of performance and capabilities when visitors come and expect functionality present on either much cheaper (splunk) or much more expensive (ArcSight) solutions and I have no solution.

To the user community, I'd love to hear real world examples of how you're using the new 4.0.3 feature set. It still sounds very interesting. I just don't know how any reasonably sized org is generating value out of it at the moment.

David

Grose,

Thanks a lot for your answer. You instructions were really helpfull!

I've renamed the C:\Users\<user>\EventExplorer\.metadata directory to ".metadata old" , restart Event Explorer and now it's working like a charm!

Hi, David,

The performance issues you refer to are a large part of why we introduced the external database support.  Pre-4.0.3, you couldn't pull a large amount of data (over a million rows) without performance issues - the in-memory database couldn't handle it.  By storing an event trace in an external database (SQL Server or Greenplum), you can pull a much larger data set and get better performance.  This then allows for the broader traces that you were mentioning. 

The in-memory database is good for those more specific event traces that you have been doing all along.  For a broader event trace, an external database is the way to go.  There's a little about this in this week's blog on best practices: [[page no longer exists]]

Thanks!

Sandy 

Hi, DemondogUK,

A few thoughts:

1. Can you limit the time frame for the event trace at all?  If you are concerned about a particular period of time, try limiting the trace to just that time period.

2. While the IP addresses you are looking for aren't monitored devices, do you know which devices the user in question might be using to connect to those IPs?  If so, you could limit the trace to a particular set of device types or device groups.

3. Are you adding filters to the Event Trace itself?  Try filtering where the source IP or destination IP is the address in question, or filter by username. 

Let me know how this works for you.

Thanks!