What s New in Security Analytics Be the Hunter.. Not the Hunted

Transcription

1 What s New in Security Analytics 10.4 Be the Hunter.. Not the Hunted

2 Attackers Are Outpacing Detection Attacker Capabilities Time To Discovery Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 2

3 TRANSFORM Visibility Analysis Intelligence-Driven Security Action 3

4 Security Analytics 10.4 Delivers.. Complete Visibility Rapid Investigations SIEM & Beyond Analytics Prioritized Incident Management Scalable and Modular Platform 4

5 5

6 Complete Visibility & Rapid Investigations 6

7 Expanded Collection Options 10G Support Netflow v5 and v9 Support Less critical network segments Internal network segments to gain insight into lateral movement activity Support 250+ Log Sources Support for CEF formatted logs Centralized Event Source Monitoring Improved Windows collection from multiple domains 7

8 Enhanced Network Investigations Accelerated UI performance Improved Session Reconstruction Streamlined analyst workflow Enhanced search functionality Choose to search on Meta, RAW, or all data Over 30+ Usability enhancement to improve day to day investigations. 8

9 Intellisense for advanced query search 9

10 Leveraging Meta Groups to Query 10

11 Enhanced Search Capabilities 11

12 Enhanced Content Search - Logs 12

13 Investigation ECAT Lookup 13

14 SIEM and Beyond Analytics 14

15 Event Stream Analytics SA s Real-Time Detection and Correlation Engine. Packets Correlates Logs, Packets, Netflow and Endpoint Meta Leverages RSA provided detection rules via Live Logs NetFlow LIVE Alerts User-configurable rule-builder Scales to 100k EPS per Appliance Endpoint 15

16 Centralized Rule Management 16

17 Alert Enrichment Options Flexible enrichment options: 3 rd party database queries Static tables & CSV files Geo/IP lookup Results from Advanced Analytics Requires Analytics Warehouse 17

18 Enhanced Notification Capabilities Leverage ESA generated Alerts with existing tools or as part of SA s Incidents. Flexible notification options: SNMP Syslog to include CEF format User-defined Script User Configurable Templates 18

19 Malware Analytics Updates Introducing Malware Dashboards with user-configurable thresholds Ability to integrate Malware Analytics into Incident Management feature Streamlined file submission capabilities Adhoc and Folder ingest. File Browser re-introduced with improved results & filter options 19

20 Data Science Driven Advanced Analytics Identify Outlier activity that could be indicative of under the radar threat activity Generate a Risk Rating based on nature of Anomaly Includes reports that Analysts can leverage to investigate. Introducing 3 BETA Analytics Models: Suspicious Domains Suspicious DNS Activity Host Profile Requires: Either MAPR or Pivotal HD Analytics Warehouse Packet Meta for at least 7, ideally 30 days. 20

21 Enabling Better Detection with Content Monthly Reports and Analytics content to deliver more value to customers. Over 195 application rules, 75 correlation rules. Several high profile specific threat updates: Heartbleed, IE9 Zero Day Game Over Zeus Shell crew Boleto Fraud Ring Many More in the Pipeline Future focus on Identity, Cloud and Expanded Threat Indicators SA Nailed it! RSA Security Analytics provided us the best view of attempts and issues on our network, better than any other product. 21

22 Prioritized Incident Management 22

23 Incident Management Event Stream Analytics ECAT Malware Analysis Investigations (Adhoc) 23

24 Incident Management Capabilities Streamlines analyst workflow, highlighting value of SA Assign, update and track incidents and journal natively in product Aggregates alerts from logs, packets, malware analysis and endpoint data into prioritized incidents Quickly take action directly from the investigation workflow Incident Management is a Feature of Event Stream Analytics 24

25 Centralized Alert Browser 25

26 Configurable Incident Correlation Rules 26

27 Centralized Incident Queue 27

28 Incident Workflow 28

29 Create and Assign from Investigation 29

30 User-Configured Incident Notifications 30

31 Workflow Integration Options Integrates with RSA Security Operations Management (SecOps) SA forwards alerts and associated events Capability to disable SA incident workflow to eliminate competing workflow queues Options to integrate with 3 rd party workflow tools. 31

32 Platform Enhancements 32

33 Platform Enhancements Centralized SA Health & Wellness Streamlined update infrastructure Centralized user management Support for SecurID Two-Factor Authentication (2FA) Archiver Back-up & restore options Upgraded storage options 33

34 Scalable & Modular Architecture 34

35 RSA Security Analytics Architecture Visibility LIVE Analysis Action Packets Capture Time Data Enrichment Logs LIVE Security Operations Security Operations LIVE NetFlow Endpoint RSA LIVE INTELLIGENCE Threat Intelligence Rules Parsers Feeds Reports RSA Research 35

36 For More Details.. Global Summit Session Podcasts Security Analytics Community RSA Speaking of Security Blog Release Notes & User Documentation Both published as part of GA release later this month 36

37 THANK YOU