Transcription
DATA SHEETRSA SECURITYANALYTICSOVERVIEW OF CAPABILITIESFOR FEDERAL AGENCIES
DATA SHEETOVERVIEWRSA IN ACTIONABOUT RSARSA’s Security Solutions helporganizations reduce the risks ofoperating in a digital world.Through visibility, analysis, andaction, RSA solutions givecustomers the ability to detect,investigate and respond toadvanced threats; confirm andmanage identities; and ultimately,prevent IP theft, fraud andcybercrime.For more information about RSA,please go to rsa.com.Federal security teams need to evolve to stay in front of attackers and thelatest threats, but in recent years this has become much more difficult.Attackers continue to advance and use sophisticated techniques to infiltrategovernment systems. Our adversaries spend significant resources performingreconnaissance to learn about Federal IT. They use this knowledge to developtechniques specifically designed to bypass the security tools being used.Tools, Tactics and Procedures (TTPs) are the ways the attackers work totarget, exploit and compromise organizations. In recent years, attackerTTPs have become more sophisticated, mimicking normal user Federalenterprise behavior, and undetectable by preventative, perimeter basedsecurity controls.RSA Security Analytics provides pervasive visibility with real- time behavioranalytics to detect and investigate the sophisticated attacker TTPs.Visibility is provided across: Data Sources – Full Packet Capture, NetFlow and Logs Threat Vectors – Endpoint, Network and CloudRSA Security Analytics’ unique architecture captures and enriches datasources with security context in real-time. Additionally, threat intelligenceis applied to the enriched data to identify high risk indicators as APT domains,suspicious proxies or malicious networks. This method of processing largedata sources in real-time provides analysts with security insight into theirentire environment; on-premise to cloud.Analysts can now detect and investigate sophisticated attacks and trulyunderstand the attacker TTPs. RSA Security Analytics captures full networkpacket data. This means an attack can be completely reconstructed by yoursecurity operators – giving them the insight they need to both understand theattacker TTPs and implement an effective remediation plan. RSA helps youstop your agency’s adversaries from achieving their objectives.
DATA SHEETSIEM AND BEYONDSIEM Solutions have been aroundfor many years and they weredesigned primarily for twoobjectives:1. Collect, analyze, report and storelog data from hosts, applicationsand security devices to supportsecurity policy compliancemanagement and regulatorycompliance initiatives2. Process and correlate - in realtime - event data from securitydevices, network devices andsystems to identify securityissues that pose the biggest riskto an organizationWhile most SIEM solutions have metobjective number 1, a large majorityof these solutions struggle to meetobjective number 2. These SIEMsolutions do not have the scale andreal- time analytics capabilities foridentifying issues that cancompromise an organization beforean attacker achieves theirobjective.RSA Security Analytics has thebaseline SIEM capabilities for thecompliance use cases with pre-builttemplates for a majority of theregulations such as SOX, PCI orHIPAA.RSA Security Analytics goes beyondthe baseline SIEM capabilities. Withscale and analytic capabilities, RSASecurity Analytics will spotsophisticated attacks in real- time.Additionally, the unique correlationacross logs, packets, NetFlow andendpoint enables analysts tocomprehensively investigateand reconstruct the event.NETWORK MONITORING AND FORENSICSRSA Security Analytics captures and enriches full network packet dataalongside other data types, such as logs, NetFlow and endpoint. It processesthe data types at time of capture as follows: Data enrichment – Associates normalized and intuitive metadata to rawdata so the security analyst can focus on the security investigation insteadof data interpretation. Apply threat intelligence – Threat intelligence is applied and correlatedto the raw data at time of capture to quickly identify sophisticatedattacks early. Parse and Sessionize Raw Packet Data – Raw packet data is parsed andsessionized at capture time so it’s faster to retrieve and reconstruct theevent during an investigation.The ability to process network data in real-time enables agency securityoperations team to detect malicious activity earlier in breach event.IT security teams will also be able to investigate and remediate incidents bothmore effectively and more rapidly.RSA VisibilityBy using RSA Security Analytics, a security operation team will have fullvisibility across the kill chain as shown below.This means that security analysts can investigate the attacker TTPs at eachstage of the cyber kill chain: Delivery – Targeted E- Mail attachment, Embedded Links Exploitation – Opening of targeted malware of the endpoint, installationand hooking into the system Command and Control (C2) – Malware beaconing Action – Data Exfiltration, Lateral Movement, DisruptionAttacker TTPs are fully reconstructed with RSA Security Analytics, helpingsecurity operations teams deploy and execute an effective remediation.3
DATA SHEETCORRELATE, DETECT AND RESPOND IN REAL TIMEThe Event Stream Analysis (ESA) module is a powerful analytics and alertingengine that enables correlation across multiple event types. ESA can ingestand analyze metadata from log, packet, NetFlow, and endpoint sources.This can happen with rules delivered out of the box, by creating custom rulesusing the underlying event processing language, or using the rule builderwizard. The ESA capability helps analysts gain visibility and alert on theattacker TTPs as they move across the kill chain.The real-time behavioral analytics engine uses ESA functionality to automatedetection of attacker TTPs early in the attack lifecycle.Let’s look at how this plays out in an attack scenario. RSA Security Analyticshelps operators correlate a series of attacker actions and a combination ofanomalous activities by users and other entities as possible leading indicatorsof Command and Control (C2) communications. This requires furtherinvestigation and ultimately a defensive activity (or counter strike) to stopthe attacker. In this scenario, RSA Security Analytics automates C2 detectionby accessing the right data, profiling attacker TTPs and detecting anomaliesutilizing behavior analytics.Say an attack includes efforts by the adversary to move laterally in anenvironment: ESA can automatically detect this activity too. ESA’smonitoring credential-related monitoring activity (e.g.: suspicious loginactivity and explicit logins) can help your agency detect and prosecute thisharmful activity.Once alerts are triggered in ESA, the RSA Security Analytics IncidentManagement capability provides the response workflow to assign, triage,investigate and remediate the incident.ACTIONABLE THREAT INTELLIGENCERSA delivers threat intelligence to customers via RSA Live. The threatintelligence delivered by RSA Live is actionable; helping you detect the latestand most advanced threats. RSA Live converts threat intelligence into feedsfor enriching raw data and correlation rules for detecting the sophisticatedattacks. RSA Live threat intelligence is generated by a combination of RSAResearch and Incident Response teams, engineering and external sources.4
DATA SHEETARCHITECTUREThe RSA Security Analyticsarchitecture is designed so thatcustomers get security insight in realtime when detecting and investigatingincidents. As such, at capture time,data sources are sessionized andsecurity enriched at wire speeds.Additionally, analytics such asbehavior analysis are performed asstreams of data sources arecaptured in real time. This meansthat events are being analyzed inreal time, speeding the detectionand alerting of anomalous activities.From an investigation perspective,retrieval and reconstruction ofsessions is also accelerated as theraw data is parsed and indexed. Thisallows security analysts to retrievethe raw data quickly andreconstruct sessions.The architecture consists of threefunctional components: capture,analysis and server. The architectureis modular to allow agencies to scalethe RSA Security Analyticsdeployment based on capture oranalysis performance requirements.RSA Security Analytics can bedeployed in both physical and virtualenvironments.SECURITY OPERATIONS ORCHESTRATIONA Security Operations Center (SOC) is comprised of people, processand technology. Effective orchestration of people, process and technologyincreases the effectiveness of the overall SOC program. Investing intechnology and considering how the three aspects of the SOC work togetheris of fundamental importance. Orchestration and framework-basedbenchmarking can increase the return on investment and maximize the valueof resources in a SOC implementation, reducing the time taken to respondto incidents.RSA Security Operations Management (SecOps) provides the orchestrationand framework for the SOC. It integrates with RSA Security Analytics, RSAECAT and other third party security monitoring systems, aggregating events/alerts/incident and managing the overall incident response workflow.The workflow and capturing incident information is aligned with industry beststandards such as NIST, US-CERT, SANS and VERIS.RSA SecOps caters to multiple user types within the SOC: from analysts,incident coordinators, SOC managers all the way to the CISO. SecOpsprovides stakeholders across roles and responsibilities with a view on theoverall effectiveness of the SOC program.By leveraging the Incident Response, Breach Response and SOC ProgramManagement capabilities of RSA SecOps, your agency can guarantee that theoverall security incident response functionality is being managed asan effective, predictable and consistent process.5
DATA SHEETSummary of the RSA Security Analytics components.ComponentDescriptionSecurity Analytics ServerWeb UI and management server, primary user interfaceDecoderCaptures and stores raw data. Decoders are specific toLogs and Packets. Creates metadata of raw data captureand enriches with security context.ConcentratorStores and indexes metadata for fast queries andretrieval of raw data captureDecoder / Concentrator combination in a singleHybridappliance for branch monitoring. Hybrids are specific to(Decoder / Concentrator)Logs and Packets.6Event Stream Analysis(ESA)Real-time correlation and analysis engine across logs,packets, endpoints and NetFlow.BrokerFacilitate queries across a multi-site deployment ofConcentrators and Decoders.ArchiverLong term retention and compression of log data forcompliance reporting.Virtual Log Collector(VLC)Virtual instance of a log collector for remote sites toforward logs to the Decoder.
Data Sources – Full Packet Capture, NetFlow and Logs Threat Vectors – Endpoint, Network and Cloud RSA Security Analytics’ unique architecture captures and enriches data sources with security context in real-time. Additionally, threat intelligence is applied to the enriched data to identify high risk indicators as APT domains,
