Upload
anirudhas
View
213
Download
1
Embed Size (px)
DESCRIPTION
rsa
Citation preview
RSA SECURITY ANALYTICS Network Monitoring & Forensics
SECURITY TEAMS NEED MORE FIREPOWER Today's threats are multi-faceted, dynamic and stealthy. The most dangerous
attacks have never been seen before, rendering signature-based technologies
ineffective. These threats often don't leave a footprint in logs, so security teams
must augment their existing security technologies with network packet-based
detection and investigations. To be effective, today's tools need to be able to
handle the most current threats and handle issues like:
Lateral movement of threats as they gain foothold
Covert characteristics of attack tools, techniques & procedures
Use of non-standard communication tools
Exfiltration or sabotage of critical data
To raise their game security teams need more effective threat detection and need
to conduct investigations significantly faster. This includes the ability to look at all
this data with the minimum amount of manual effort, detect abnormal activity,
analyze potential threats, and do a more detailed investigation of those threats
that pose the biggest risks. When seeking more clarity and definitive answers to
the most challenging security questions, security teams need a deeper level of
detail and the agility to quickly examine application layer sessions and events in a
way that is easy to comprehend and this needs to be done in a matter of
minutes, not hours or days.
RSA Security Analytics for Network Forensics
DEEP VISIBILITY DRIVES DETECTION RSA Security Analytics captures and enriches full network packet data alongside
other data types, like NetFlow, logs and endpoint data. RSA Security Analytics is
a security solution with a flexible, modular approach allowing you to choose the
full solution or to augment your existing security technologies with just network
packet-based detection and investigation capabilities. DATA SHEET
AT A GLANCE
Augment your existing SIEMs
capabilities with better
visibility, analysis and
workflow.
Discover attacks missed by
other tools
Inspect every packet session
for threat indicators at time of
collection with capture time
data enrichment
Instantly pivot from incidents
into network packet detail to
perform network forensics and
understand the true nature and
scope of the issue
RSA's Network Forensic and Monitoring solution:
Performs data enrichment at the time of capture. It uses the solution's
patented metadata framework to organize the data in a clear and navigable
way. The metadata framework is based on a lexicon of nouns, verbs and
adjectives characteristics of the actual application layer content and
context parsed by Security Analytics at the time of capture. The metadata
from the packets is normalized so the analyst can focus on the security
investigation instead of data interpretation.
Executes rapid, deep investigation into network data. Having full
network packet data allows you to readily reconstruct exactly what happened.
With RSA Security Analytics this happens instantly since the network raw data
is tagged at the time of capture for rapid retrieval in the event of an
investigation, rather than the slow reconstruction of that data when
investigating a problem, when time is at a premium. In addition, the incident
management capability built into RSA Security Analytics lets investigators
collaborate, annotate and manage response activities around a particular
issue.
Automatically updates with latest threat intelligence. RSA Security
Analytics includes hundreds of parsers, plus dozens of correlation rules and
feeds that detect the most current threats. RSA automatically delivers this
threat intelligence to customers and embeds it into their systems. Therefore,
users are able to more easily take advantage of what others have already
found and spend less time building their system to identify threats that exist
in their own environment.
CAPTURE TIME PACKET DATA ENRICHMENT MAKES DETECTION AND INVESTIGATIONS FASTER AND EASIER
RSAs security approach is akin to removing the hay (of known good) until only
needles (likely bad issues) remain, as opposed to traditional security approaches
which attempt to search for needles in a giant haystack of data. To achieve this,
RSA performs deep data enrichment right at the time of capture making it much
faster and more valuable for analysis in the midst of an investigation. This
includes additional context, such as asset criticality, vulnerability data, risk level,
event type, event source, device information, IP information, and configuration
data expressed in over 175 different metadata fields. The figure below shows a
sample of session characteristics captured by RSA Security Analytics.
UNIQUE DISTRIBUTED ARCHITECTURE FOR SCALABILITY
RSA Security Analytics unique architecture allows organizations to collect and
analyze large amounts of data and expand linearly. The federated infrastructure
allows organizations to scale, while still maintaining the ability to analyze and
query seamlessly across the system. In order to enable application layer traffic in
real-time at high data rates, the capture infrastructure must scale out as well as
scale up. The distributed and hierarchical nature of the Security Analytics
infrastructure enables an organization to incrementally add data collection,
analysis, and archiving as-needed. In higher throughput environments, the ability
to separate primary read and write-to-disk functions allows Security Analytics to
maintain both high capture rates as well as fast analytic response times.
FLEXIBLE INTEGRATION
Integrate with your existing SIEM implementation by using RSA Security
Analytics open API to extend the value. This gives you the ability to easily
investigate alerts found in your existing SIEM using RSA Security Analytics, or
forward alerts from RSA Security Analytics to your SIEM or other tool.
RSA Security Analytics also has the ability to combine your existing SIEM alerts
with RSA Security Analytics alerts in the Incident Management console. This gives
analysts the ability to aggregate alerts across tools into security incidents, which
then are prioritized for a much more informed and efficient response.
EMC2, EMC, the EMC logo, and RSA are registered trademarks or trademarks of EMC
Corporation in the United States and other countries. VMware is a registered trademark or
trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2014 EMC
Corporation. All rights reserved. Published in the USA. 08/14 Data Sheet H13416
EMC believes the information in this document is accurate as of its publication date. The
information is subject to change without notice.
CONTACT US
To learn more about how EMC
products, services, and solutions can
help solve your business and IT
challenges, contact your local
representative or authorized reseller
or visit us at www.emc.com/rsa.