Transcription
BEYOND THE SIEMRSA NETWITNESS Accelerated Threat Detection & Automated Response,from the Endpoint to the CloudBernard Montel : Regional PreSales Manager1
SECURITY OPERATIONS CHALLENGESA SHIFTINGLANDSCAPEBUSINESS RISK INSIGHTSStruggle to link alerts withbusiness riskDifficult to see anyand all threatsRESOURCE SHORTAGESSkilled analysts are in short supply2
RSA’S EVOLVED SIEM WORKS WITH YOUTO SOLVE THOSE CHALLENGESVisibility and EarlyDetectionTransform raw data intoactionable insightsAnalyze Big Data sets withbusiness context to identifypotential threatsQuickly Investigateand AssessValidate Incidents and realize trueimpact and scope risksBehavioral & Machine LearningAnalytics for comprehensivedetection and forensicsEffective ThreatRemediationAct and Mitigate beforethreats become breachesIntegrated Platform enablesoptimized response“RSA’s Evolved SIEM helped us reduce our response times dramatically and realize the scope of athreat, delivering a comprehensive view into our network risks and threats.”MANAGER OF SECURITY OPERATIONS GROUP, Global Software Vendor3
Complete Visibility f o r e a r l y t h r e a t d e t e c t i o nYou cannotdetect whatyou cannotsee!“Without these tools wewouldn’t have half thevisibility we need todetect threats on ournetwork and endpoints.”Security Analyst, Large, North American basedretail companyLogs, network,endpoints, cloud4Data enriched and transformed intopowerful metadataBusiness risk &compliance context
Investigate & Assess w i t h A d v a n c e d A n a l y t i c sFast andAccurateInvestigations!Correlate multiple datasources5User and EntityBehavior AnalyticsOut-of-the-box threatintelligence“With RSA NetWitness Platformwe can detect advanced malwareand security incidents on theperimeter, and use the platform toregister and handle them all. It'sthe backbone of our securityanalytics center.”- RASMUS THEEDE, CORPORATE VP GROUPSECURITY, KMDMachine learning &data science
Effective Threat Remediation to prevent threats frombecoming breachesAssess andRemediate thefull threat!Accelerate and automate incidenttriage6Focus on the threats thatmatter most“RSA’s fast andcomprehensive response toadvanced attacks enablesus to mitigate threatsbefore they can do anydamage to our business.”Yumiko Matsubara, Security ArchitectureManager, Recruit Technologies Co., Ltd.Orchestrated SOC responsewith business context
RSA’S EVOLVED SIEMCloudIntelligence &Context TaggingPACKETSLOGSOn ILITY andDetection7UserBehaviorAnalyticsINVESTIGATE andAssess ion and Response
S O L U T I O N S I N C L U D E D AT N O C H A R G E TO R S AN E T W I T N E S S P L AT F O R M C U S TO M E R S RSA NetWitness RSA NetWitness UEBA Lightweight endpoint agent Adds context to accelerate Content Pack with user-focused Delivers timely insights intofidelity detection of user- andentity-based threatsEndpoint Insightsthreat detection & responseendpoint hosts via scans Simplifies Microsoft WindowsLogs collection8Essentialsrule set Provides high confidence, high Correlates multiple data sourcesto identify anomalous orsuspicious user behavior
What do Industry Analysts and our Customerss a y a b o u t R S A N e t Wi t n e s s P l a t f o r m ?“A single vendor thatintegrates capabilitiesincluding core SIEM, networkmonitoring and analysis, EDR,and UEBA”.“RSA’s fast andcomprehensive responseto advanced attacksenables us to mitigate threatsbefore they can do anydamage to our business.”Yumiko Matsubara, Security ArchitectureManager, Recruit Technologies Co., Ltd.9
RSA NETWITNESSPLATFORMCONCEPTSMETA DATACORE COMPONENTS10
Full Visibility and ContextWhat was Targeted?How Did the ExploitOccur?How Did the AttackersMove Around OnceInside?Was the endpointexploited? Were OthersInfected?LOGSPACKETS Intrusion attempts Beaconing and Suspicious Communications“Sticky-keys” BackdoorMalicious Proxy ToolsRecreate Entire ExploitNETFLOW Lateral Movement via RDPENDPOINT Time / Date “Stomping” Indicators: Malicious Files, Code, andProcesses Scope of InfectionRSA NetWitness Suite Consumes and Normalizes ALL Available Threat Datato Deliver Faster, More Accurate Risk Analysis.11EnterpriseVisibility
METADATAI T ’ S T H E S T O R Y B E H I N D T H E D ATAChinaLogThreat TTP Postno 4EncodedPayloadBiz ContextCommandline with ZipPassword12TorNodePayload isFTPIn a single interface, at capture timeEncryptedZip File
R S A’ S U N I Q U E A P P R OAC H TO D E T E C T I N G T H R E AT SPACKETSEthernet ConnectionsTop Level DomainContent TypeBrowserLOGSFile FingerprintsURL in EmailCountry Src/DstReferrer200 IP Src/Dst User NameEmail AddressmetadataCookiefieldsCredit CardsHostnameIP Alias ForwardedClient/ServerApplicationEmbedded ypto TypePDF/ Flash VersionDirectoryConnect the dots Mac Address AliasSQL QueryNon StandardFile PackersENDPOINTPrioritizedthreat riskAccess CriticalityUser AgentFailed Windowslogin ng92Protocol FingerprintsHTTP HeadersPortsDatabase NameSSL uage understand the full attack scopeand complete investigations
LEVERAGE MULTIPLE THREAT INTEL SOURCESNetWitnessSuite14NetWitness Suite
MITRE ATT&CK FRAMEWORKR S A N E T W I T N E S S P L AT F O R M M A P P I N GAttack stages detecting according MITRE ATT&CK framework using RSA NetWitness yLateralMovementCollectionExfiltrationCommandand reate AccountProcessInjectionRundll32Brute ForceAccountDiscoveryRemoteDesktopProtocolData StagedDataEncryptedData EncodingDrive-byCompromisePowerShellNew ServiceNew DiscoveryRemote FileCopyData fromLocal SystemData TransferSize LimitsRemote FileCopyValidAccountsScheduledTasksRegistry RunKeysWeb overySSH HijackingData fromRemovableMediaExfiltrationover Commandand ndpointUEBAUEBAUEBAEndpoint
RSA’S EVOLVED SIEM A Single, Unified Platform for All Your Data Integrated Threat and Business Context Automated User Behavior Analytics Smart and Fast Investigations Orchestrated Actions Flexible, Scalable Architecture End-to-End Security Operations16
LIVE. VISIBILITY . and Detection. INVESTIGATE . and Assess Risk. ORCHESTRATE . Action and Response. 8. SOLUTIONS INCLUDED AT NO CHARGE TO RSA NETWITNESS PLATFORM CUSTOMERS . NetFlow. Logs. UEBA. 16 RSA’S EVOLVED SIEM .
