RSA Archer eGRC Suite

RSA Archer Threat Management 4

Overview Guide
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
http://www.emc.com/support/rsa/index.htm.
Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and EMC are either registered trademarks or trademarks of EMC
Corporation ("EMC") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-party licenses
This product may include software developed by parties other than RSA.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2012 EMC Corporation. All Rights Reserved. Published in the USA.
December 2012
 Overview Guide

Contents

Preface 5
About This Guide 5
RSA Archer eGRC Platform Documentation Set 5
RSA Archer Threat Management Documentation Set 6
RSA Archer Threat Management Data Dictionary 6
Support and Service 6
Chapter 1: Understanding Threat Management 8
Introduction 8
Threat Management 8
Threat Management Program 8
Basic Threat Management Scenario 9
Objectives of a Threat Management Program 9
Enterprise Threat Management Process 10
Enterprise Threat Management Process Diagram 10
Assets and Vulnerabilities 11
Assets 11
Vulnerabilities 11
Threat Data 12
Chapter 2: Understand RSA Archer Threat Management 4 13
Introduction 13
RSA Archer Threat Management 13
RSA Archer Threat Management Features 14
RSA Archer Threat Management Components 15
Subsolutions and Applications 16
RSA Archer Threat Management Diagram 16
RSA Archer Threat Management Integrated Solution Diagram 17
Vulnerability Research Subsolution 18
Vulnerabilities Application 19
Malicious Code Application 20
Patches Application 21
Technologies Application 21
Vulnerability Scan Management Subsolution 22
Vulnerability Scan Requests Application 22
Vulnerability Scans Application 23
Vulnerability Scan Results Application 24
Threat Management Subsolution 24
Threat Intelligence Application 25
Threat Project Application 25
Question Library Application 26
Threat Assessment Questionnaire 26
Issue Management Subsolution 27
Findings Application 27
Exception Requests Application 28
Remediation Plans Application 30
Policy Change Requests Application 30

3
Overview Guide

RSA Archer Threat Management Process Flow 31

RSA Archer Threat Management User Groups and Access Roles 31
Index 32

4
 Overview Guide

Preface

About This Guide

This guide contains information that helps RSA® Archer™ eGRC Suite
administrators understand the RSA Archer Threat Management solution. It provides
information about the solution, any subsolutions, and the applications.
This guide assumes the reader is knowledgeable about the eGRC industry and the
RSA Archer eGRC Suite.

RSA Archer eGRC Platform Documentation Set

For information about the RSA Archer eGRC Platform 5.3, see the following
documentation:

Guide Description

Administrator Guide Provides administrators with a system overview,

guidelines for navigating, and detailed instructions
for key tasks.

Control Panel Guide Provides administrators with instructions for

completing tasks in the release.

Installation Guide Provides administrators the details of the steps

required to plan for, prepare, install, configure, grant
access to, and test the release.

Release Notes Provides administrators a detailed listing of new

features, fixed issues, and known issues at the time
of the current release.

User Guide Provides end users with guidelines for navigating,

detailed instructions for key tasks, and information
about using communication tools.

Web Services API Reference Provides IT managers and programmers a list of the
Guide available web services for programmatically
interfacing with the release. This guide provides
formatting guidelines for field results, field inputs,
and search inputs, and provides sample code for
searching, adding and updating users, and updating
assets.

5 Preface
 Overview Guide

Access the documentation from the Documents page on the RSA Archer
Community at https://community.emc.com/community/connect/grc_
ecosystem/rsa_archer.

RSA Archer Threat Management Documentation Set

For information about the RSA Archer Threat Management solution, see the
following documentation:

Guide Description

Release Notes Introduces the RSA Archer Threat Management solution,

lists the documentation available, and provides information
for obtaining support and service.

Overview Guide Introduces the RSA Archer Threat Management solution and
provides information about the Solution, any subsolutions,
and the applications.

Installation Guide Provides administrators with instructions to install the

solution.

Practitioner Guide Provides design information about the solution and a use
case highlighting how the solution works.

You can access the RSA Archer Threat Management documentation from the
Documents page on the RSA Archer Exchange at
https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_
exchange.

RSA Archer Threat Management Data Dictionary

The RSA Archer Threat Management Data Dictionary contains configuration
information for the solution, including the user groups and access roles that must be
created.
You can obtain the Data Dictionary for the solution by contacting your RSA Archer
Account Representative or calling 1-888-539-EGRC.

Support and Service

Customer Support http://www.emc.com/support/rsa/contact/phone-
Information numbers.htm

Preface 6
 Overview Guide

Customer Support E-mail [email protected]

RSA Archer Community https://community.emc.com/community/connect/grc_

ecosystem/rsa_archer

RSA Archer Exchange https://community.emc.com/community/connect/grc_

ecosystem/rsa_archer_exchange

The Community enables collaboration among eGRC clients, partners, and product
experts. Members actively share ideas, vote for product enhancements, and discuss
trends that help guide the RSA Archer product roadmap.
The Exchange is an online marketplace dedicated to supporting eGRC initiatives.
The Exchange brings together on-demand applications along with service, content,
and integration providers to fuel the success of RSA Archer clients.

7 Preface
 Overview Guide

Chapter 1: Understanding Threat Management

Introduction
This chapter contains the following sections:
Threat Management
Threat Management Program
Basic Threat Management Scenario
Objectives of a Threat Management Program
Enterprise Threat Management Process
Enterprise Threat Management Process Diagram
Assets and Vulnerabilities
Threat Data

Threat Management
ISO 27005 defines a threat as "a potential cause of an incident that may result in
harm of systems and organization." Threat management means enabling processes,
technologies, and resources that identify threats to business and working to reduce,
mitigate, or respond to those threats.
The RSA Archer Threat Management 4 solution provides a central repository of
threat data, clear reporting of activities related to threat remediation, and a constant
and repeatable threat management process.

Threat Management Program

An enterprise-level threat management program is composed of many processes,
tools, procedures, and enablers. The program should have a continuous cycle that
flows from prevention to detection to response, with a feedback loop to ensure that
threats are proactively managed as much as possible. While no organization can
prevent every threat, the goal should be to identify and prevent as many as possible,
detect and respond to any active threats, and learn from any events or incidents for
improved threat management in the future.
The RSA Archer Threat Management program is split into two major areas: threat
prevention and threat detection and response.

Chapter 1: Understanding Threat Management 8

 Overview Guide

Most organizations address threat detection and response first. Organizations have
some capability to identify and respond to security events and incidents. The
question is the actual completeness of that capability, the effectiveness of the
detection methods, and the ability to respond in a manner that meets business
requirements.
The secondary component is threat prevention. Again, most organizations have
some ability to identify vulnerabilities and patch systems to prevent threats from
impacting operations, the question is how effective is the overall approach. This is
an area where companies need to expand and improve their processes to address
the changing threat landscape.
Finally, visibility into these activities is an important part of a threat management
program. To properly report on and manage the corporate security status, the CISO
needs to have information flowing from the threat management program to affect
proper security controls across the enterprise.

Basic Threat Management Scenario

The following figure shows a basic threat scenario. A threat agent uses a particular
attack vector to exploit a security weakness and security controls, which impacts
the technology and the business.

The overlaid boxes represent each stage of the threat scenario and the
corresponding techniques for preventing and detecting the threat.

Objectives of a Threat Management Program

A threat management program aims to do the following:
Reduce Attack Vectors. To reduce attack vectors you must understand both the
threats that could affect your environment and the potential attack vectors. You
can reduce attack vectors through intelligence gathering, scenario and threat
modeling, and proactive analysis.

9 Chapter 1: Understanding Threat Management

 Overview Guide

Reduce Security Weaknesses by Implementing Security Controls. Every

environment has inherent weaknesses, whether they are platform vulnerabilities
in an IT system or ingress/egress points in a facility. A threat management
program aims to advise the business on the proper controls to eliminate, mitigate,
or reduce those vulnerabilities. Actual implementation of the security controls is
not part of the threat management, only identification of and recommendations
for the controls.
Understand Assets and Monitor Activity. To detect and prioritize active
threats, assets must be cataloged, analyzed, and prioritized so that the technical
impacts of a threat can be properly understood. Also, activity on the assets must
be monitored in order to understand where threats have actually exploited
security weaknesses or bypassed security controls.
Minimize Business Impact. An effective, efficient response to and mitigation
of threats are necessary for maintaining a secure environment. If a threat has
managed to exploit a weakness or elude security controls and is detected,
response and mitigation activities must be implemented quickly to reduce the
potential business impact.

Enterprise Threat Management Process

An enterprise threat management process can be broken down into two areas: threat
prevention and threat detection and response.
Threat prevention covers both threat identification and vulnerability identification
and prevention.
Threat Identification. Building an understanding of the threats that are inherent
in the business or are potential attackers/threat actors.
Vulnerability Identification and Prevention. Identifying vulnerabilities in the
infrastructure or business that could be exploited and eliminating or reducing
those vulnerabilities.

Threat detection and response covers both attack detection and investigation and
resolution.
Attack Detection. Identifying active attacks against the organization.
Investigation and Resolution. Responding to active attacks, reducing business
impact, and resolving the threat.

Enterprise Threat Management Process Diagram

The following figure shows the process of enterprise threat management.

Chapter 1: Understanding Threat Management 10

 Overview Guide

Note: This model does not articulate the many related processes, such as patch
management, configuration management, business continuity management, or
disaster recovery processes, that are at times associated with threat management.
These processes are typically a separate part of the organization and not under the
purview of security operations. The Control Processes banded through the middle of
the model represent other security-related processes, such as policy development,
business continuity/disaster recovery, identity management, and configuration
management, which are outside the scope of, but fed by the threat management
program.

Assets and Vulnerabilities

Assets
An asset is system, such as a host, software system, workstation, or network
device, that is within a network and makes up the enterprise environment. Assets
can be targets of active attacks, and thus must be understood and monitored as part
of a threat management program.

Vulnerabilities
A vulnerability is a weakness that could be exploited by a threat. Examples include
an open firewall port, a password that is never changed, or a missing control. At a
higher level, a vulnerability is also a weakness in a process, administration, or
technology that allow malicious entities access to your systems.

11 Chapter 1: Understanding Threat Management

 Overview Guide

Vulnerabilities as Risks
Because new vulnerabilities are discovered every day, vulnerabilities must be
identified and eliminated on a regular basis. Applying security patches helps
mitigate specific vulnerabilities. However, when network-attached devices run
without current security updates, these un-patched devices are vulnerable to a
variety of exploits.
Not all vulnerabilities have related patches. For this reason, system administrators
must not only be aware of vulnerabilities and patches, but also must mitigate
vulnerabilities through other methods, such as firewalls or router access control
lists.
A common mistake among system administrators is to monitor only patches and not
vulnerabilities. Although this omission is understandable given the time pressures
many system administrators face, this omission can be dangerous because attackers
spend considerable time monitoring and exploiting vulnerabilities.
Exploitation of a Vulnerability
The exploitation of a vulnerability can be accomplished locally (internally) or
remotely (externally) by a hacker or a disgruntled employee. In addition,
vulnerabilities can be exploited by a worm or virus. The most common examples of
what happens when vulnerabilities are exploited include the following:
Denial of service. The system may crash, resulting in a lack of service.
Arbitrary code execution. Someone is allowed to execute a command with
local user or root privileges (for example, delete or copy files).
Buffer overflow. The system may crash.

Threat Data
Threat data includes vulnerability, malicious code, and geopolitical threat
information, results from vulnerability scanners and other network monitoring
devices, security intelligence and threat feeds, and other intelligence gathered from
trusted sources. Robust threat data helps you to analyze the dangers to your
organization and prioritize your remediation and mitigation efforts.

Chapter 1: Understanding Threat Management 12

 Overview Guide

Chapter 2: Understand RSA Archer Threat

Management 4

Introduction
This chapter contains the following sections:
RSA Archer Threat Management
RSA Archer Threat Management Features
RSA Archer Threat Management Components
Vulnerability Research Subsolution
Vulnerability Scan Management Subsolution
Threat Management Subsolution
Issue Management Subsolution
RSA Archer Threat Management Process Flow
RSA Archer Threat Management User Groups and Access Roles

RSA Archer Threat Management

The RSA Archer Threat Management solution provides a centralized repository of
threat data, clear reporting of activities related to threat remediation, and a
consistent and repeatable threat management process. The solution allows you to
document geopolitical threats; consolidate vulnerability, malicious code, and patch
information from security providers; and capture vulnerability results from scanning
technologies into one consistent threat management system. The RSA Archer
Threat Management solution provides the tools that you need to analyze and refine
threat data, automatically notify personnel, and proactively address threats before
they impact your organization.
Through the RSA Archer Threat Management solution, you can do the following:
l Centralize threat data, content from a commercial threat feed provider, or threat
advisories received via email from your trusted sources into a searchable,
standards-compliant database.
l Populate and enhance the threat data with information from your own research,
analysis, or internal requirements.
l Consolidate, analyze, and react to vulnerability and malicious code warnings that
impact your business.
l Automatically notify personnel responsible for threat management so that they
can proactively address emerging threats.

13 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

l Integrate data from the RSA Archer Enterprise Management solution to

prioritize the implementation of patches or workarounds based on the business
criticality of a technology asset.
l Integrate with vulnerability scanning devices and patch management solutions to
centralize data, identify issues and track vulnerability remediation status on an
asset-by-asset basis.
l Create remediation plans that relate multiple vulnerability alerts and scan results,
and track actual and estimated remediation costs and timeframes.
l Produce real-time reports and user-specific dashboards to view threats by
technology, severity, type, and impact to your organization and to monitor the
overall status of your threat management program.

RSA Archer Threat Management Features

The RSA Archer Threat Management solution allows you to do the following:
Consolidate your Threat Database. The RSA Archer Threat Management
solution allows you to centralize threat data from your trusted sources in a
searchable, standards-compliant database. You can capture geopolitical threats,
vulnerabilities, malicious code, and patch information through the following
methods:
l Research and enter your own threat content through the RSA Archer web
interface.
l Use pre-built integrations with leading commercial threat feed providers,
which are available on the RSA Archer Exchange.
l Employ the RSA Archer mail monitor capabilities to monitor an email account
for threat advisories, automatically pull that data into the Platform, and map it
to the appropriate fields.
Analyze and Refine Threat Data. The RSA Archer Threat Management
solution allows you to analyze vulnerabilities and malicious code warnings as
they pertain to the critical technologies and processes of your organization. You
can filter out threats that have no impact on your business, which prevents
security personnel from being overwhelmed with unnecessary advisories. For
those threats with a direct impact to your business, you can refine the CVSS
score or risk rating and add company-specific instructions for addressing the
threat. In addition, you can create remediation plans to relate multiple
vulnerability and malicious code alerts, tie them to the results of vulnerability
scans, and automate the workflow process for remediation activities.

Chapter 2: Understand RSA Archer Threat Management 4 14

 Overview Guide

Track Threats to your Enterprise Infrastructure. Using the RSA Archer

Threat Management solution alongside the RSA Archer Enterprise Management
solution provides you with a clear view of the threats that impact devices,
applications, and facilities. The RSA Archer Enterprise Management solution
allows you to determine the criticality of technical assets based on the business
processes, products, and services that they support. You can then prioritize the
implementation of patches or workarounds based on the business criticality of an
asset. This decision support helps you allocate resources effectively while
protecting what is most important to your business.
Alert Users to Emerging Threats. You can automatically notify responsible
personnel when threats emerge so they can proactively address the threats before
your systems are compromised. Threat notifications include details on the
severity of the threat, the CVE ID, affected technologies, and remediation
instructions, along with links to the full threat and patch records, which
empowers users to take immediate action. The RSA Archer Platform allows you
to define notification filter criteria to allow users to receive specific types of
alerts, or you can allow end users to define their own filters to limit the number
of emails that they receive.
Consolidate Vulnerability Scan Data and Track Remediation Efforts. When
you integrate the RSA Archer Threat Management and Enterprise Management
solutions to perform asset-to-vulnerability correlation, you can also take
advantage of pre-built integration with vulnerability scan technologies and patch
management solutions. Combining data from these sources with threat and asset
data in the Platform allows you to audit and validate that vulnerabilities have
been properly addressed on an asset-by-asset basis to ensure the platform level
security configurations of your organization.
Report on Threat and Vulnerability Activities. Through the powerful
reporting capabilities of the RSA Archer Threat Management solution, you can
view threats by technology, severity, type, and impact to your organization. The
solution also provides configurable dashboards for real-time views of the latest
vulnerabilities and malicious code for trending analysis, summary views, and
tracking work queues associated with threat management and vulnerability
remediation. You can quickly view underlying data for a complete understanding
of potential impacts to your business. This information is essential to determining
actions plans for the remediation of threats.

RSA Archer Threat Management Components

The RSA Archer Threat Management solution is composed of four subsolutions:
l Vulnerability Research
l Vulnerability Scan Management

15 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

l Threat Management
l Issue Management

Subsolutions and Applications

The RSA Archer Threat Management subsolutions are composed of the following
applications and questionnaire:
l Vulnerability Research Subsolution
o Vulnerabilities
o Malicious Code
o Patches
o Technologies
l Vulnerability Scan Management Subsolution
o Vulnerability Scan Requests
o Vulnerability Scans
o Vulnerability Scan Results
l Threat Management Subsolution
o Threat Intelligence
o Threat Project
o Question Library
o Threat Assessment
l Issue Management Subsolution
o Findings
o Exception Requests
o Remediation Plans
o Policy Change Requests

RSA Archer Threat Management Diagram

The following figure shows the relationships between the subsolutions and
applications that make up the RSA Archer Threat Management solution.

Chapter 2: Understand RSA Archer Threat Management 4 16

 Overview Guide

RSA Archer Threat Management Integrated Solution Diagram

The following figure shows the relationships between the subsolutions and
applications that make up the RSA Archer Threat Management solution and the
applications in the RSA Archer Enterprise Management solution.

17 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Vulnerability Research Subsolution

The Vulnerability Research subsolution provides a centralized repository of threat
data, clear reporting of activities related to threat remediation, and a consistent and
repeatable threat management process. This subsolution allows you to document
threat intelligence data and consolidate vulnerability, malicious code, and patch
information from security intelligence providers. It also enables you to analyze and
refine threat data, automatically notify responsible personnel, and proactively
address threats before they impact your organization.

Chapter 2: Understand RSA Archer Threat Management 4 18

 Overview Guide

Vulnerabilities Application
The Vulnerabilities application collects consistent vulnerability data. By tying
vulnerabilities to asset data in the RSA Archer Enterprise Management solution,
you can analyze, prioritize, and proactively respond to address threats to vulnerable
assets. The Vulnerabilities application accepts intelligence feeds from third-party
vendors, including Symantec and Verisign.
Through the Vulnerabilities application, you can do the following:
l Automatically import data from an intelligence feed.
l Automatically notify appropriate personnel when new vulnerabilities are
identified.
l Research potential threats and produce real-time reports that aid in the creation
of action plans.

Vulnerabilities Application Workflow

The following figure shows the workflow of the Vulnerabilities application.

Vulnerabilities Application Integrations

The Vulnerabilities application integrates with the following data feeds:
l Symantec DeepSight
l Verisign iDefense
l National Vulnerability Database Vulnerabilities feed

19 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Malicious Code Application

The Malicious Code application collects malware data regarding worms, Trojans,
rootkits, spyware, crimeware, viruses, and other hostile or intrusive program code.
By tying malicious code to asset data in the RSA Archer Enterprise Management
solution, you can analyze, prioritize, and determine the required remediation based
on the criticality rating of the asset. The Malicious Code application accepts
intelligence feeds from vendors, including Symantec and Verisign.
Through the Malicious Code application, you can do the following:
l Automatically import data from an intelligence feed.
l Automatically notify appropriate personnel when new malicious code is
identified.
l Research potential threats and produce real-time reports that aid in the creation
of action plans.

Malicious Code Application Workflow

The following figure shows the workflow of the Malicious Code application.

Malicious Code Application Integrations

The Malicious Code application integrates with the following data feeds:
l Symantec DeepSight
l Verisign iDefense

Chapter 2: Understand RSA Archer Threat Management 4 20

 Overview Guide

Patches Application
The Patches application serves as a repository for the latest patches released by
software vendors that mitigate specific vulnerabilities. You can access and
research patches that mitigate vulnerabilities in addition to utilizing real-time
reports that aid in creating remediation plans.
Through the Patches application, you can do the following:
l Relate patches to vulnerabilities in order to prioritize mitigation plans based on
vulnerability severity.
l Consolidate intelligence feeds from vendors.
l Automatically notify appropriate personnel when new patches are available for
the technologies they support.

Patches Application Integrations

The Patches application integrates with the following data feeds:
l Symantec DeepSight
l Verisign iDefense

Technologies Application
The Technologies application provides a searchable and extensible repository of
technology version information that can be leveraged to relate objects of like
technology.
The Technologies application is a three level application with the following levels:
Vendors. The Vendors level contains information relating to the technology
vendors, including name, description, and vendor naming conventions.
Technologies. The Technologies level contains information relating to specific
technologies, including name, description, and technology naming conventions.
Technology Versions. The Technology Versions level contains information
relating to technology versions, including name, description, and technology
version naming conventions.

Technologies Application Workflow

The following figure shows the workflow of the Technologies application.

21 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Technologies Application Integrations

The Technologies application integrates with the following data feeds:
l Symantec DeepSight
l Verisign iDefense
l National Vulnerability Database Technologies feed

Vulnerability Scan Management Subsolution

The Vulnerability Scan Management subsolution provides a portal for managing
vulnerability scan operations and improving the management of vulnerability scan
results. The solution allows users to submit and track network vulnerability scan
requests; document scope, priority, and frequency requirements; capture
vulnerability results from multiple scanning technologies into one consistent threat
management system; better manage the scan process with assigned ownership and
governance; and identify and respond to security events and incidents.

Vulnerability Scan Requests Application

The Vulnerability Scan Requests application allows you to request a vulnerability
scan on a particular device, application, network segment, or IP range. The
application includes fields to document the request, including requestor and
manager information, scope of the scan, date/time, type of scan, and priority.
Through the Vulnerability Scan Requests application, you can do the following:
l Request a vulnerability scan.
l Request the date and time of the scan.

Chapter 2: Understand RSA Archer Threat Management 4 22

 Overview Guide

l Denote the type of scan.

l Define the scope of the scan.

Vulnerability Scan Requests Application Workflow

The following figure shows the workflow of the Vulnerability Scan Requests
application.

Vulnerability Scans Application

The Vulnerability Scans application documents recurring or one-time vulnerability
scans for reporting purposes. Vulnerability scans can be conducted on a regular,
periodic basis as part of a threat management program, for example, quarterly PCI
scans or scans of externally accessible servers. Vulnerability scans can also be
conducted on a transactional basis for one singular purpose, such as an application
scan or as part of a threat assessment.
Through the Vulnerability Scans application, you can do the following:
l Define recurring operational scans including scope, ownership, frequency, and
other attributes.
l Document individual one-time scans as documentation for other threat processes
such as pre- or post-implementation reviews or threat assessments.
l Relate individual results from Vulnerability Scans to Vulnerability Scan Results.

Vulnerability Scans Application Workflow

The following figure shows the workflow of the Vulnerability Scans application.

23 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Vulnerability Scan Results Application

The Vulnerability Scan Results application stores the issues that result from every
new record that is created from the vulnerability scanner, such as device name, IP
address, owner, department, description, notes, and recommendations. These
records contain the technical recommendation for each scan result and allow for
reporting on the total number of issues, regardless of which system detects the
issue.
Vulnerability Scan Results Application Workflow
The following figure shows the workflow of the Vulnerability Scan Results
application.

Threat Management Subsolution

The Threat Management subsolution provides a process for managing threat
projects, including scoping and threat identification via execution of threat
assessment questionnaires, threat analysis, and development of a threat treatment
plan.

Chapter 2: Understand RSA Archer Threat Management 4 24

 Overview Guide

Threat Intelligence Application

The Threat Intelligence application collects threat advisory reports or security
updates from a variety of sources. The intelligence can be provided from a pre-built
feed from Verisign iDefense. Intelligence can also be manually input by the
security function to document transactional threats, such as ongoing social
engineering or phishing attachs, or inherent business threats based on threat
assessments, analysis, or other internal processes. Consolidating and tying this data
back to your enterprise assests and business processes enables a comprehensive
view of the threat severity, impact, and any required remediation needs.
Through the Threat Intelligence application, you can do the following:
l Automatically import data from an intelligence feed.
l Research potential threats and produce real-time reports that aid in the creation
of action plans.
l Automatically notify appropriate personnel based on established severity criteria.
l Document ongoing threats within the organization.
l Initiate a threat project based on threat intelligence.

Threat Intelligence Applications Integrations

The Threat Intelligence application integrates with the following data feed:
l Verisign iDefense

Threat Project Application

The Threat Project application enables the security function to manage the
operational activities of the threat program through project management and an
integrated threat assessment methodology. The Threat Project application provides
security analysts with a consistent methodology to identify threats, analyze
associated risks, and manage risk treatment efforts in one consolidated system.
Through the Threat Project application, you can do the following:
l Manage the process of performing threat assessments from scoping through to
treatment.
l Use multiple scoping options to filter the multi-domain threat assessment.
l Support singular input (one participant) or multiple inputs (multiple participants)
for threat identification.
l Manage threat-related projects through the following lifecycle:
o Project staffing and scoping
o Threat assessment, aggregated scoring, and multiple assessment support
o Threat analysis and evaluation
o Risk treatment, including remediation plans and exception requests

25 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Threat Project Application Workflow

The following figure shows the workflow of the Threat Project application.

Question Library Application

The Question Library application documents assessment questions linked to
authoritative sources, control standards, and risks. You can use these questions as
often as you like in any type of assessment.

Threat Assessment Questionnaire

The Threat Assessment is a pre-built questionnaire that provides a set of questions
to identify common threats for the following types of assets:
l Business Units
l Applications
l Facilities
l Information Assets
l General IT Systems

The threat assessment helps security analysts identify threat actors, threat
scenarios, and threat vectors so that proactive measures can be put into effect.
Threat Assessment Questionnaire Workflow
The following figure shows the workflow of the Threat Assessment questionnaire.

Chapter 2: Understand RSA Archer Threat Management 4 26

 Overview Guide

Issue Management Subsolution

The Issue Management subsolution provides the ability to identify and assign
responsibility for the gaps, issues, and deficiencies identified by a risk and
compliance program. Users document these items in the Findings application, which
is preconfigured with the relationships to various components of the eGRC
platform, including risks, questionnaires, policies, and authoritative sources. The
solution also contains two applications that enable users to manage their response to
identified findings. Remediation Plans allows users to document and assign
responsibility for corrective actions that address findings. Exception Requests
allows users to grant temporary acceptance of an identified risk.

Findings Application
The Findings application documents individual control gaps or risks for a specific
scope or target of the threat assessment. Findings can be managed centrally within
the Findings application or associated with remediation plans to track the actual
task of closing the findings.
Findings Application Workflow
The following figure shows the workflow of the Findings application.

27 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Exception Requests Application

The Exception Requests application allows you to manage the process of granting
denying, and expiring exceptions to policies and control standards. Through the
built-in workflow, the application enables you to ensure that all exceptions are
properly reviewed. You can also report on exceptions across the enterprise,
monitoring them by control, department, or severity, to visualize the impact of
policy exceptions on the business and its compliance posture.
Exception Requests Application Workflow
The following figure shows the workflow of the Exception Requests application.

Chapter 2: Understand RSA Archer Threat Management 4 28

 Overview Guide

The following figure shows the process for granting exception request extensions.

29 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Remediation Plans Application

The Remediation Plans application allows you to centrally manage multiple findings
and track actual and estimated remediation costs and timeframes. Relating multiple
findings in the context of remediation plans allows you to identify larger issues and
support informed decision making.
Remediation Plans Application Workflow
The following figure shows the workflow of the Remediation Plans application.

Policy Change Requests Application

The Policy Change Requests application allows you to document proposed changes
to company policies. In the context of the RSA Archer Threat Management
solution, a policy change request could be driven from a change in technical or non-
technical threats as identified by the threat assessment process. The policy change
could be driven by threat intelligence or as part of a threat assessment.
Policy Change Requests Application Workflow
The following figure shows the workflow of the Policy Change Requests
application.

Chapter 2: Understand RSA Archer Threat Management 4 30

 Overview Guide

RSA Archer Threat Management Process Flow

The following figure shows the process flow of the RSA Archer Threat
Management solution.

RSA Archer Threat Management User Groups and Access Roles

The RSA Archer Threat Management 4 solution uses pre-defined user groups and
access roles.
See the Data Dictionary for the list of groups and roles needed for the RSA Archer
Threat Management 4 solution.
For instructions, see "Add an Access Role" and "Add a Group" in the Access
Control section of the RSA Archer eGRC Platform Administrator Guide portfolio.

31 Chapter 2: Understand RSA Archer Threat Management 4

 Overview Guide

Index A Q
applications 16 Question Library application
assets described 26
defined 11
R
C
Remediation Plans application
customer support 6 described 30
workflow 30
D RSA Archer Threat Management
components 15
documentation described 13
RSA Archer eGRC Platform 5 diagram 16
RSA Archer Threat Management 6 integrated solution diagram 17
process flow 31
E user roles 31
Exception Requests application S
described 28
workflow 28 subsolutions 16
support, technical 6
F
T
Findings application
described 27 Technologies application 21
workflow 27 workflow 21
Threat Assessment questionnaire
I described 26
workflow 26
Issue Management subsolution threat data, described 12
applications 16 threat detection and response 8, 10
described 27 described 10
Threat Intelligence application
M described 25
threat management
Malicious Code application
basic scenario 9
described 20
defined 8
workflow 20
objectives 9
P process 10
process diagram 10
Patches application threat management program
described 21 defined 8
Policy Change Requests application objectives 9
described 30 Threat Management Solution See RSA
workflow 30 Archer Threat Management
process flow Threat Management subsolution
described 31 applications 16
described 24

32 Index
 Overview Guide

threat prevention 8, 10 Vulnerabilities application 19

described 10 Vulnerability Scan Requests
Threat Project application application 23
described 25 Vulnerability Scans application 23
workflow 26 Vulnerability Scans Results
threats, defined 8 application 24

U
user roles
described 31

V
vulnerabilities
as risks 12
defined 11
exploitation of 12
Vulnerabilities application
described 19
workflow 19
Vulnerability Research subsolution
applications 16
described 18
Vulnerability Scan Management
subsolution
applications 16
described 22
Vulnerability Scan Requests application
described 22
workflow 23
Vulnerability Scan Results application
described 24
workflow 24
Vulnerability Scans application
described 23
workflow 23

W
workflow
Exception Requests application 28
Findings application 27
Malicious Code application 20
Policy Change Requests
application 30
Remediation Plans application 30
Technologies application 21
Threat Assessment
questionnaire 26
Threat Project application 26

33 Index