RSA-Pivotal Security Big Data Reference Architecture RSA & Pivotal combine to help security teams detect threats quicker and speed up response

Transcription

1 RSA-Pivtal Security Big Data Reference Architecture RSA & Pivtal cmbine t help security teams detect threats quicker and speed up respnse ESSENTIALS RSA and Pivtal are cmbining t help custmers get: Better visibility int what s happening in their envirnments Mre cntextual analytics t help them priritize issues Actinable intelligence frm a diverse set f internal and external surces ATTACKERS STILL HAVE THE UPPER HAND Despite significant investment in infrmatin security, attackers appear t have the upper hand. Accrding t the Verizn Data Breach Investigatins reprt (2013), 97 percent f breaches led t data cmprmise within days r less, whereas 78 percent f breaches tk weeks r mre t discver. Attackers are becming mre rganized and better funded. But while attacks have becme dynamic, defenses have remained static. Tday s attacks are designed t explit the weaknesses f ur user-centric, hypercnnected infrastructures. IT-enabled rganizatins cntinue t grw mre cmplex. Organizatins nw demand much mre pen and agile systems, creating incredible new pprtunities fr cllabratin, cmmunicatin, and innvatin. This als results in new vulnerabilities that cyber criminals, hacktivist grups, and natin states have learned t explit. There are ften nt enugh skilled security prfessinals t help rganizatins prtect themselves effectively. The 2013 (ISC)2 Glbal Infrmatin Security Wrkfrce Study fund that 56% f its respndents believe that there is a security wrkfrce shrtage T reverse the tide and prtect their rganizatins better, security teams need a few things. They need: Better visibility int what s happening in their envirnments, frm their netwrks, t their servers t their applicatins and endpints. Mre cntextual analytics f what s ging n t help them priritize issues mre effectively and cncentrate mre resurces n thse issues that are mre likely t impact their business Actinable intelligence frm diverse surces, bth internal and external, t tell the system what t lk fr in a mre autmated way, and help them respnd quicker An architecture that scales t supprt the business as it grws and evlves RSA and Pivtal have wrked tgether t create an architecture that truly helps security teams t fulfill these needs, and help speed up attack detectin and respnse times, and reducing the impact f attacks n rganizatins. Mrever this apprach creates a platfrm that can be used fr a myriad f ther use case acrss IT peratins and the enterprise. SOLUTION OVERVIEW

2 VISIBILITY IS THE FOUNDATION FOR SUPERIOR ANALYTICS RSA and Pivtal prvide unparalleled visibility int user and system activity acrss the IT envirnment. RSA Security Analytics prvides a cllectin infrastructure that can prvides full visibility int Netwrk Activity by perfrming full packet capture, sessin recnstructin and analysis f packet data Lg Data by cllecting lg and event data frm devices and applicatins that supprt business and IT activity. Cllectin ccurs thrugh the deplyment f decder devices tpgraphically clse f the systems generating the data, either thrugh a span prt r tap (in the case f packets) r thrugh cmmn system prtcls including syslg, SNMP, ODBC r prprietary prtcls. RSA Security Analytics als integrates with systems that cllect cntextual infrmatin like Asset data this includes the cllectin f technical cnfiguratin data, as well as business cntext like what business prcesses the system supprts, r the criticality f the system Vulnerability data data which can add additinal cntext t an investigatin (e.g. when the system was last scanned and what vulnerabilities were present) r t help priritize respnse t attacks n vulnerable systems Identity data additinal cntextual infrmatin abut the user, their lcatin, their jb functin and the privileges they have. RSA Security Analytics enriches the lg and netwrk data it captures with this cntextual infrmatin t aid in the dwnstream prcessing f that data, either in the detectin r investigatin f threats Fig 1. Security Analytics High Level Architecture

3 ANALYTICS THROUGHOUT THE INFORMATION LIFECYCLE STREAMLINE DETECTION AND INVESTIGATION RSA and Pivtal cmbine t prvide numerus types f analytics, needed t spt threats at different times in the infrmatin lifecycle. The three main types f analytics prvided are: Capture time analytics t identify interesting characteristics f data right at the time f capture. This includes: Basic characteristics e.g. surce IP, destinatin IP, username, lg actin, etc. Interesting characteristics e.g. such use f encryptin, executable files, administrative users, administrative cmmands Indicatrs f cmprmise e.g. knwn bad IPs, knwn bad prtcls, watchlist users Security Analytics creates metadata ut f these interesting characteristics that can be used fr further analytics r t facilitate investigatins Streaming analytics t analyze metadata in real time t spt cncurrent sessins r actins happening ver a shrt time windw that might be an indicatr f a threat. This metadata culd be lg-based, netwrk-based r frm anther cntextual surce. Examples include: Basic SIEM-like crrelatin rules: like 5 failed lgns fllwed by a successful lgn Cmpund indicatrs f cmprmise: like a user dwnlading suspect JavaScript at arund the same time as an encrypted sessin t a blacklisted cuntry Hybrid lg & netwrk rules: like malfrmed traffic bund fr a hst at arund the same time as encrypted traffic t a blacklisted cuntry Streaming analytics can be based n cmbinatins f events r deviatins frm a baseline nrmal cunt f a piece f metadata. Streaming analytics appliances need nt be deplyed right at the pint f data cllectin, but can be deplyed in parallel thrughut the envirnment fr enhanced scalability. Batch analytics t identify lw and slw type attacks, and patterns that ccur ver extended perids f time. Batch analytics is perfrmed by the RSA Security Analytics Warehuse, which has Pivtal HD at its cre. Pivtal uses prven Hadp and ther Big Data technlgies, and the Pivtal Data Science Labs team t enable different analytic techniques including: Rules based pattern matching Cluster analysis Anmaly detectin Machine learning Batch analytics and these advanced methds facilitate use cases such as malicius dmain detectin, beacning hst detectin, and anmalus user behavir detectin. In additin, RSA Security Analytics prvides a lg archiving capability t allw rganizatins t satisfy retentin and reprting requirements, but stre the data in a cst-effective manner

4 ANALYTIC METHODS COMBINE TO FACILITATE ADVANCED SOC ACTIONS Threat analysts need a cmbinatin f capture time, stream and batch analytics t detect and investigate a full range f threats. Each f these methds cmbine t supprt a number f wrkstreams cmmn in a security peratins center, like: Visualizing heat maps f issues acrss an rganizatin by business unit r prfile Prfiling systems r devices fr indicatrs f risk Priritizing alerts when a particular critical business asset r user exhibits multiple suspicius characteristics ver a week-lng perid Prviding investigative cntext after an alert gets triggered t determine the cause r impact f an issue, e.g. if the user dwnladed an executable prir t the alert, r the IP accessed a critical asset after triggering the alert In additin, using Pivtal and Hadp, and the Pivtal Data Science Labs team ffers the ptential t add additinal capabilities like: Predictive mdeling using visibility and cntext t predict where issues are likely t ccur Analyst feedback lps allwing analysts t prvide feedback whether they think a particular alert warrants fllw-up, and allwing the system t learn that fr future alerts DISTRIBUTED ARCHITECTURE ALLOWS FOR ENTERPRISE SCALABILITY AND DEPLOYMENT Many systems have claimed t ffer this functinality, but have failed. This is because lder architecture using ld database technlgies and prprietary data stres dn t wrk. Mre analytical cmpute pwer than ever is needed t analyze the data, but this needs t be prvided cst effectively. Pivtal and RSA have teamed up t create a Security Analytics platfrm that prvides an architecture that deplys cmpnents thrughut the envirnment in rder t prvide superir scalability and deplyability, and the ability t deply the platfrm in a mdular way t suit an rganizatin s unique use cases. Cllectin and Capture-Time Analytics get deplyed clse t where the activity ccurs. This allws the system t scale acrss lcatins mre effectively. This als minimizes the impact n WAN cnnectins, since the system can be cnfigured t transfer nly metadata, nt raw data acrss these cnnectins. Streaming Analytics and Archiving get deplyed centrally r in a federated way. Architects can decide t deply the system in a mre central way, r in a federated way. This gives maximum flexibility t take int accunt cmpliance regulatins arund crss-brder data transfer requirements r netwrk cnstraints. Batch Analytics gets deplyed in a Hadp cluster that takes advantage f the resilient nature f a Hadp distributed cmputing envirnment SOCs perate where the best talent resides. With this architecture, the Security Operatins Center can access the data and perfrm analytics frm anywhere acrss the rganizatin. A sample multi-lcatin architecture diagram is included belw.

5 Fig 2. Sample deplyment fr Security Analytics and Pivtal PIVOTAL EXPANDS USES OF COLLECTED DATA ACROSS IT AND ENTERPRISE USE CASES The cmbined Pivtal and RSA platfrm allws IT rganizatins t gain greater value frm the data cllected thrugh the use f the cllected data fr nn-security use cases. The pen architecture gives IT rganizatins flexibility t leverage Hadp tls, r Pivtal tls like HAWQ and Spring XD t develp applicatins and analytics fr adjacent use cases like: Capacity planning Mean-time-t-repair analysis Dwntime impact analysis Shadw IT detectin Mrever, utside f security and IT peratins, there are a myriad f ptins fr incrprating security int a wider Enterprise Data Lake allwing the data t be used fr uses such as custmer experience mnitring and billing. This allws custmers t gain much wider benefit acrss their rganizatin frm their investment in Pivtal and RSA.

6 BENEFITS OF RSA-PIVOTAL APPROACH The jint RSA-Pivtal ffering prvides custmers with: Reduced risk f cmprmise by using the latest analytic and detectin techniques and threat intelligence t aid in the detectin, investigatin and respnse t security incidents Reduced deplyment risk and quicker time t value thrugh prven, validated architecture fr cllectin, analytics f data that prduces actinable intelligence at enterprise scale Less reliance n Data Science expertise t leverage cutting edge analytic techniques Take better advantage f existing security expertise by adding analytic firepwer Enterprise-wide benefits as cllected data integrates with the Enterprise data lake CONTACT US T learn mre abut hw EMC prducts, services, and slutins can help slve yur business and IT challenges, cntact yur lcal representative r authrized reseller r visit us at EMC 2, EMC, the EMC lg, RSA are registered trademarks r trademarks f EMC Crpratin in the United States and ther cuntries. VMware is a registered trademark r trademark f VMware, Inc., in the United States and ther jurisdictins. Cpyright 2014 EMC Crpratin. All rights reserved. Published in the USA. 02/14 Slutin Overview H12878 EMC believes the infrmatin in this dcument is accurate as f its publicatin date. The infrmatin is subject t change withut ntice.