RSA SECURITY ANALYTICS Visibility, Analysis and Action

Similar documents
Detect & Investigate Threats. OVERVIEW

Discover & Investigate Advanced Threats. OVERVIEW

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

RSA Security Analytics

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

What s New in Security Analytics Be the Hunter.. Not the Hunted

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

THE EVOLUTION OF SIEM

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Security Analytics for Smart Grid

Advanced Threat Protection with Dell SecureWorks Security Services

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

QRadar SIEM and FireEye MPS Integration

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Advanced Threats: The New World Order

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

DYNAMIC DNS: DATA EXFILTRATION

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

IBM Security Intelligence Strategy

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

IBM SECURITY QRADAR INCIDENT FORENSICS

Modern Approach to Incident Response: Automated Response Architecture

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

QRadar SIEM and Zscaler Nanolog Streaming Service

Cisco Advanced Malware Protection for Endpoints

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Comprehensive Advanced Threat Defense

IBM QRadar Security Intelligence April 2013

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Using SIEM for Real- Time Threat Detection

The SIEM Evaluator s Guide

A New Perspective on Protecting Critical Networks from Attack:

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Under the Hood of the IBM Threat Protection System

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Intelligence Driven Security

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

SIEM is only as good as the data it consumes

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

IBM Security re-defines enterprise endpoint protection against advanced malware

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

End-user Security Analytics Strengthens Protection with ArcSight

Combating a new generation of cybercriminal with in-depth security monitoring

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Information-driven Security and RSA Security Analytics and RSA ECAT

SECURITY ANALYTICS AND MORE Putting together an effective Incident Response plan

Speed Up Incident Response with Actionable Forensic Analytics

Extreme Networks Security Analytics G2 Vulnerability Manager

IBM: An Early Leader across the Big Data Security Analytics Continuum Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

The session is about to commence. Please switch your phone to silent!

Strengthen security with intelligent identity and access management

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst

RSA Security Anatomy of an Attack Lessons learned

Cisco Cyber Threat Defense - Visibility and Network Prevention

Win the race against time to stay ahead of cybercriminals

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

How to Choose the Right Security Information and Event Management (SIEM) Solution

Boosting enterprise security with integrated log management

After the Attack: RSA's Security Operations Transformed

Rashmi Knowles Chief Security Architect EMEA

Cisco Advanced Malware Protection for Endpoints

High End Information Security Services

SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Security X-Force Threat Intelligence

IBM Security QRadar Vulnerability Manager

Unified Security, ATP and more

Integrating MSS, SEP and NGFW to catch targeted APTs

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Information Technology Policy

I D C A N A L Y S T C O N N E C T I O N

How To Manage Security On A Networked Computer System

Defending Against Data Beaches: Internal Controls for Cybersecurity

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

White. Paper. Rethinking Endpoint Security. February 2015

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Caretower s SIEM Managed Security Services

The Purview Solution Integration With Splunk

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

RSA Archer Training. Governance, Risk and Compliance. Managing enterprise-wide governance, risk and compliance through training and education

The Sumo Logic Solution: Security and Compliance

The Benefits of an Integrated Approach to Security in the Cloud

IBM Security IBM Corporation IBM Corporation

EnCase Analytics Product Overview

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Transcription:

RSA SECURITY ANALYTICS Visibility, Analysis and Action OVERVIEW Security teams need to evolve to stay in front of attackers and the latest threats, but in recent years this has become much more difficult. Attackers continue to advance and use sophisticated techniques to infiltrate organizations. Attackers spend significant resources performing reconnaissance to learn about organizations and develop techniques specifically designed to bypass the security tools being used. Tools, Tactics and Procedures (TTPs) are the ways the attackers work to target, exploit and compromise organizations. In recent years, attacker TTPs have become more sophisticated, mimicking normal user enterprise behavior, and undetectable by preventative, perimeter based security controls. RSA Security Analytics provides pervasive visibility with real-time behavior analytics to detect and investigate the sophisticated attacker TTPs. Visibility is provided across: NETWORK MONITORING AND FORENSICS RSA Security Analytics captures and enriches full network packet data alongside other data types, such as logs, NetFlow and endpoint. It processes the data types at time of capture as follows: Data enrichment Associates normalized and intuitive metadata to raw data so the security analyst can focus on the security investigation instead of data interpretation. Apply threat intelligence Threat intelligence is applied and correlated to the raw data at time of capture to quickly identify sophisticated attacks early. Parse and Sessionize Raw Packet Data Raw packet data is parsed and sessionized at capture time so it s faster to retrieve and reconstruct the event during an investigation. Data Sources Full Packet Capture, NetFlow and Logs Threat Vectors Endpoint, Network and Cloud RSA Security Analytics unique architecture captures and enriches data sources with security context in realtime. Additionally, threat intelligence is applied to the enriched data to identify high risk indicators as APT domains, suspicious proxies or malicious networks. This method of processing large data sources in realtime provides analysts with security insight into their entire environment from on-premise to cloud. The ability to process the data in real-time as indicated above enables security operations team to detect earlier and investigate more effectively and faster. For example, in a Spear Phishing attack, the attacker implements a series of steps across the kill chain. Analysts can now detect and investigate sophisticated attacks and truly understand the attacker TTPs. RSA Security Analytics captures full network packets, which means an attack can be reconstructed to fully understand the attacker TTPs and in turn implement an effective remediation plan to stop the attacker from achieving their objective. DATA SHEET

By using RSA Security Analytics, a security operations team will have full visibility across the kill chain as shown below. For example, a series of attacker actions and a combination of anomalous activities by users and entities could be leading indicators of Command and Control (C2) communications which will require further investigation and counter strike to stop the attacker. By having access to the right data, profiling attacker TTPs and detecting anomalies utilizing behavior analytics, RSA Security Analytics automates C2 detection. This means that security analysts can investigate the attacker TTPs at each stage of the cyber kill chain as follows: Delivery Targeted E-Mail attachment, Embedded Links Exploitation Opening of targeted malware of the endpoint, installation and hooking into the system C2 Malware beaconing Action Data Exfiltration, Lateral Movement, Disruption Attacker TTPs are fully reconstructed with RSA Security Analytics and this helps the security operations team to put an effective remediation plan in place. CORRELATE, DETECT AND RESPOND IN REAL TIME The Event Stream Analysis (ESA) module is a powerful analytics and alerting engine that enables correlation across multiple event types. ESA can consume and analyze metadata from log, packet, NetFlow, and endpoint sources using rules delivered out of the box or by creating custom rules using the underlying event processing language or the rule builder wizard. The ESA capability helps analysts gain visibility and alert on the attacker TTPs as they move across the kill chain. Similarly, detection of lateral movement in a windows environment can be automated using ESA. In this case by actively monitoring Windows credential harvesting services, suspicious login activity and explicit logins could help in detecting an attacker s attempt at moving laterally across the organization. The real-time behavioral analytics engine uses ESA functionality to automate detection of attacker TTPs early in the attack lifecycle. Once alerts are triggered in ESA, the RSA Security Analytics Incident Management capability provides the response workflow to assign, triage, investigate and remediate the incident.

ACTIONABLE THREAT INTELLIGNCE RSA delivers threat intelligence to customers via RSA Live. The threat intelligence delivered by RSA Live is actionable and helps customers detect the latest threats. RSA Live converts threat intelligence into feeds for enriching raw data and correlation rules for detecting the sophisticated attacks. RSA Live threat intelligence is generated by a combination of RSA Research and Incident Response teams, engineering and external sources. ENDPOINT VISIBILITY AND ENRICHMENT RSA Enterprise Compromise Assessment Tool (ECAT) provides visibility into endpoints by leveraging unique behavior analytics to flag anomalous activity, provide machine suspect scores and block/quarantine suspicious processes. RSA ECAT and RSA Security Analytics are tightly integrated. Events generated by RSA ECAT are ingested by RSA Security Analytics and correlated against packet, log and NetFlow data to detect sophisticated attacks. Additionally, as part of an investigation or when an incident is triggered, ECAT provides the source of endpoint enrichment for Security Analytics. A security analyst can contextually link into ECAT from Security Analytics by right clicking, and vice-versa. SIEM AND BEYOND SIEM solutions have been around for many years and they were designed primarily for two objectives: 1. Collect, analyze, report and store log data from hosts, applications and security devices to support security policy compliance management and regulatory compliance initiatives 2. Process and correlate in real time event data from security devices, network devices and systems to identify security issues that pose the biggest risk to an organization While most SIEM solutions have met objective number 1, a big majority of these solutions struggle to meet objective number 2. These SIEM solutions do not have the scale and real-time analytics capabilities for identifying issues that can compromise an organization before an attacker achieves their objective. RSA Security Analytics has the baseline SIEM capabilities for the compliance use cases with pre-built templates for a majority of the regulations such as SOX, PCI or HIPAA. RSA Security Analytics goes beyond the baseline SIEM capabilities. With scale and analytic capabilities, RSA Security Analytics will spot sophisticated attacks in realtime. Additionally, the unique correlation across logs, packets, NetFlow and endpoint enables analysts to comprehensively investigate and reconstruct the event. SECURITY OPERATIONS ORCHESTRATION A Security Operations Center (SOC) is comprised of people, process and technology. The orchestration of people, process and technology increases the effectiveness of the overall SOC program. Investing in technology and considering how the three aspects of the SOC work together is an effective strategy. Orchestration and framework can increase the return on investment and maximize the value of resources in a SOC implementation, reducing the time taken to respond to incidents. RSA Security Operations Management (SecOps) provides the orchestration and framework for the SOC. It integrates with RSA Security Analytics, RSA ECAT and other third party security monitoring systems, aggregating events/alerts/incident and managing the overall incident response workflow. The workflow and

capturing incident information is aligned with industry best standards such as NIST, US-CERT, SANS and VERIS. The following table provides a summary of the RSA Security Analytics components. RSA SecOps caters to multiple personas within the SOC from the analysts, incident coordinators, SOC manager and CISO, providing a view on the overall effectiveness of the SOC program. By leveraging the Incident Response, Breach Response and SOC Program Management capabilities of RSA SecOps, an organization can guarantee that the overall security incident response functionality is being managed as an effective, predictable and consistent process. ARCHITECTURE The RSA Security Analytics architecture is designed so that customers get security insight in real time when detecting and investigating incidents. As such, at capture time, data sources are sessionized and security enriched at wire speeds. Additionally, analytics such as behavior analysis are performed as streams of data sources are captured in real time. This means that events are being analyzed in real time, speeding the detection and alerting of anomalous activities. From an investigation perspective, retrieval and reconstruction of sessions is faster since the raw data is parsed and indexed. This allows security analysts to retrieve the raw data quickly and reconstruct sessions. The architecture consists of three functional components: capture, analysis and server. It is a modular architecture allowing customers to scale the RSA Security Analytics deployment based on capture or analysis performance requirements. From a deployment perspective, RSA Security Analytics can be deployed in both physical and virtual environments.

HARDWARE SPECIFICATIONS The following is a summary of HW specifications for the various RSA Security Analytics components. EMC2, EMC, the EMC logo, RSA, the RSA logo, and Archer are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2016 EMC Corporation. All rights reserved. Published in the USA. 2/16 Data Sheet H14903 RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information