Download RSA Security Analytics: Network Forensics - EMC Middle-East

RSA SECURITY ANALYTICS
Network Monitoring & Forensics
AT A GLANCE



Today's threats are multi-faceted, dynamic and stealthy. The most dangerous
Augment your existing SIEM’s
attacks have never been seen before, rendering signature-based technologies
capabilities with better
ineffective. These threats often don't leave a footprint in logs, so security teams
visibility, analysis and
must augment their existing security technologies with network packet-based
workflow.
detection and investigations. To be effective, today's tools need to be able to
Discover attacks missed by
handle the most current threats and handle issues like:
other tools

Lateral movement of threats as they gain foothold
Inspect every packet session

Covert characteristics of attack tools, techniques & procedures

Use of non-standard communication tools

Exfiltration or sabotage of critical data
for threat indicators at time of
collection with capture time
data enrichment

SECURITY TEAMS NEED MORE FIREPOWER
Instantly pivot from incidents
into network packet detail to
To raise their game security teams need more effective threat detection and need
perform network forensics and
to conduct investigations significantly faster. This includes the ability to look at all
understand the true nature and
this data with the minimum amount of manual effort, detect abnormal activity,
scope of the issue
analyze potential threats, and do a more detailed investigation of those threats
that pose the biggest risks. When seeking more clarity and definitive answers to
the most challenging security questions, security teams need a deeper level of
detail and the agility to quickly examine application layer sessions and events in a
way that is easy to comprehend– and this needs to be done in a matter of
minutes, not hours or days.
RSA Security Analytics for Network Forensics
DEEP VISIBILITY DRIVES DETECTION
RSA Security Analytics captures and enriches full network packet data alongside
other data types, like NetFlow, logs and endpoint data. RSA Security Analytics is
a security solution with a flexible, modular approach allowing you to choose the
full solution or to augment your existing security technologies with just network
DATA SHEET
packet-based detection and investigation capabilities.
RSA's Network Forensic and Monitoring solution:

Performs data enrichment at the time of capture. It uses the solution's
patented metadata framework to organize the data in a clear and navigable
way. The metadata framework is based on a lexicon of nouns, verbs and
adjectives — characteristics of the actual application layer content and
context parsed by Security Analytics at the time of capture. The metadata
from the packets is normalized so the analyst can focus on the security
investigation instead of data interpretation.

Executes rapid, deep investigation into network data. Having full
network packet data allows you to readily reconstruct exactly what happened.
With RSA Security Analytics this happens instantly since the network raw data
is tagged at the time of capture for rapid retrieval in the event of an
investigation, rather than the slow reconstruction of that data when
investigating a problem, when time is at a premium. In addition, the incident
management capability built into RSA Security Analytics lets investigators
collaborate, annotate and manage response activities around a particular
issue.

Automatically updates with latest threat intelligence. RSA Security
Analytics includes hundreds of parsers, plus dozens of correlation rules and
feeds that detect the most current threats. RSA automatically delivers this
threat intelligence to customers and embeds it into their systems. Therefore,
users are able to more easily take advantage of what others have already
found and spend less time building their system to identify threats that exist
in their own environment.
CAPTURE TIME PACKET DATA ENRICHMENT
MAKES DETECTION AND INVESTIGATIONS
FASTER AND EASIER
RSA’s security approach is akin to removing the “hay” (of known good) until only
“needles” (likely bad issues) remain, as opposed to traditional security approaches
which attempt to search for needles in a giant haystack of data. To achieve this,
RSA performs deep data enrichment right at the time of capture making it much
faster and more valuable for analysis in the midst of an investigation. This
includes additional context, such as asset criticality, vulnerability data, risk level,
event type, event source, device information, IP information, and configuration
data expressed in over 175 different metadata fields. The figure below shows a
sample of session characteristics captured by RSA Security Analytics.
UNIQUE DISTRIBUTED ARCHITECTURE FOR
SCALABILITY
RSA Security Analytics unique architecture allows organizations to collect and
analyze large amounts of data and expand linearly. The federated infrastructure
allows organizations to scale, while still maintaining the ability to analyze and
query seamlessly across the system. In order to enable application layer traffic in
real-time at high data rates, the capture infrastructure must scale out as well as
scale up. The distributed and hierarchical nature of the Security Analytics
infrastructure enables an organization to incrementally add data collection,
analysis, and archiving as-needed. In higher throughput environments, the ability
to separate primary read and write-to-disk functions allows Security Analytics to
maintain both high capture rates as well as fast analytic response times.
FLEXIBLE INTEGRATION
Integrate with your existing SIEM implementation by using RSA Security
Analytics’ open API to extend the value. This gives you the ability to easily
investigate alerts found in your existing SIEM using RSA Security Analytics, or
forward alerts from RSA Security Analytics to your SIEM or other tool.
RSA Security Analytics also has the ability to combine your existing SIEM alerts
with RSA Security Analytics alerts in the Incident Management console. This gives
analysts the ability to aggregate alerts across tools into security incidents, which
then are prioritized for a much more informed and efficient response.
CONTACT US
To learn more about how EMC
products, services, and solutions can
help solve your business and IT
challenges, contact your local
representative or authorized reseller—
or visit us at www.emc.com/rsa.
EMC2, EMC, the EMC logo, and RSA are registered trademarks or trademarks of EMC
Corporation in the United States and other countries. VMware is a registered trademark or
trademark of VMware, Inc., in the United States and other jurisdictions. © Copyright 2014 EMC
Corporation. All rights reserved. Published in the USA. 08/14 Data Sheet H13416
EMC believes the information in this document is accurate as of its publication date. The
information is subject to change without notice.