Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
RSA SECURITY ANALYTICS Network Monitoring & Forensics AT A GLANCE Today's threats are multi-faceted, dynamic and stealthy. The most dangerous Augment your existing SIEM’s attacks have never been seen before, rendering signature-based technologies capabilities with better ineffective. These threats often don't leave a footprint in logs, so security teams visibility, analysis and must augment their existing security technologies with network packet-based workflow. detection and investigations. To be effective, today's tools need to be able to Discover attacks missed by handle the most current threats and handle issues like: other tools Lateral movement of threats as they gain foothold Inspect every packet session Covert characteristics of attack tools, techniques & procedures Use of non-standard communication tools Exfiltration or sabotage of critical data for threat indicators at time of collection with capture time data enrichment SECURITY TEAMS NEED MORE FIREPOWER Instantly pivot from incidents into network packet detail to To raise their game security teams need more effective threat detection and need perform network forensics and to conduct investigations significantly faster. This includes the ability to look at all understand the true nature and this data with the minimum amount of manual effort, detect abnormal activity, scope of the issue analyze potential threats, and do a more detailed investigation of those threats that pose the biggest risks. When seeking more clarity and definitive answers to the most challenging security questions, security teams need a deeper level of detail and the agility to quickly examine application layer sessions and events in a way that is easy to comprehend– and this needs to be done in a matter of minutes, not hours or days. RSA Security Analytics for Network Forensics DEEP VISIBILITY DRIVES DETECTION RSA Security Analytics captures and enriches full network packet data alongside other data types, like NetFlow, logs and endpoint data. RSA Security Analytics is a security solution with a flexible, modular approach allowing you to choose the full solution or to augment your existing security technologies with just network DATA SHEET packet-based detection and investigation capabilities. RSA's Network Forensic and Monitoring solution: Performs data enrichment at the time of capture. It uses the solution's patented metadata framework to organize the data in a clear and navigable way. The metadata framework is based on a lexicon of nouns, verbs and adjectives — characteristics of the actual application layer content and context parsed by Security Analytics at the time of capture. The metadata from the packets is normalized so the analyst can focus on the security investigation instead of data interpretation. Executes rapid, deep investigation into network data. Having full network packet data allows you to readily reconstruct exactly what happened. With RSA Security Analytics this happens instantly since the network raw data is tagged at the time of capture for rapid retrieval in the event of an investigation, rather than the slow reconstruction of that data when investigating a problem, when time is at a premium. In addition, the incident management capability built into RSA Security Analytics lets investigators collaborate, annotate and manage response activities around a particular issue. Automatically updates with latest threat intelligence. RSA Security Analytics includes hundreds of parsers, plus dozens of correlation rules and feeds that detect the most current threats. RSA automatically delivers this threat intelligence to customers and embeds it into their systems. Therefore, users are able to more easily take advantage of what others have already found and spend less time building their system to identify threats that exist in their own environment. CAPTURE TIME PACKET DATA ENRICHMENT MAKES DETECTION AND INVESTIGATIONS FASTER AND EASIER RSA’s security approach is akin to removing the “hay” (of known good) until only “needles” (likely bad issues) remain, as opposed to traditional security approaches which attempt to search for needles in a giant haystack of data. To achieve this, RSA performs deep data enrichment right at the time of capture making it much faster and more valuable for analysis in the midst of an investigation. This includes additional context, such as asset criticality, vulnerability data, risk level, event type, event source, device information, IP information, and configuration data expressed in over 175 different metadata fields. The figure below shows a sample of session characteristics captured by RSA Security Analytics. UNIQUE DISTRIBUTED ARCHITECTURE FOR SCALABILITY RSA Security Analytics unique architecture allows organizations to collect and analyze large amounts of data and expand linearly. The federated infrastructure allows organizations to scale, while still maintaining the ability to analyze and query seamlessly across the system. In order to enable application layer traffic in real-time at high data rates, the capture infrastructure must scale out as well as scale up. The distributed and hierarchical nature of the Security Analytics infrastructure enables an organization to incrementally add data collection, analysis, and archiving as-needed. In higher throughput environments, the ability to separate primary read and write-to-disk functions allows Security Analytics to maintain both high capture rates as well as fast analytic response times. FLEXIBLE INTEGRATION Integrate with your existing SIEM implementation by using RSA Security Analytics’ open API to extend the value. This gives you the ability to easily investigate alerts found in your existing SIEM using RSA Security Analytics, or forward alerts from RSA Security Analytics to your SIEM or other tool. RSA Security Analytics also has the ability to combine your existing SIEM alerts with RSA Security Analytics alerts in the Incident Management console. This gives analysts the ability to aggregate alerts across tools into security incidents, which then are prioritized for a much more informed and efficient response. CONTACT US To learn more about how EMC products, services, and solutions can help solve your business and IT challenges, contact your local representative or authorized reseller— or visit us at www.emc.com/rsa. EMC2, EMC, the EMC logo, and RSA are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. © Copyright 2014 EMC Corporation. All rights reserved. Published in the USA. 08/14 Data Sheet H13416 EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice.