Professional Documents
Culture Documents
ARCHITECTURE
Solution Brief
SUMMARY
New security threats demand a new approach to security management. Security teams
need a security analytics architecture that can handle a much greater volume and wider
scope of data than at present, not to mention provide them with tools to lead them
quickly to the most pressing issues. They need threat intelligence about the latest tools,
techniques, and procedures in use by the attacker community, and the ability to track
and manage the responses initiated as a result of the issues they identify.
took “weeks” or more to Principally, this is because today’s security measures aren’t designed to counter today’s
more advanced threats. Traditional security measures are often:
discover.
– Signature-based: looking for “known bad” data sequences based upon previous
2012 Verizon Data Breach Investigations
report identical attacks
– Agile: they anticipate the means organizations use to protect themselves and use
adaptive techniques to evade many common detection and prevention systems
– Focused: today’s threats often have very specific goals, perhaps targeting a narrow class
of organization, or even one organization
– Intelligent: they use a wide range of social engineering techniques and technical
exploits to gain a foothold within victim organizations and avoid detection
This means that organizations need to start thinking differently about the tools they
deploy and the techniques they use to defend themselves.
– Reporting on device activity providing key insights into who, what, where, and when
critical activities are taking place
– Basic alerting on known sequences through correlation rules, that can draw attention to
the most egregious or suspicious uses of computing resources
– Proof of compliance for internal and external auditors through regular reports, created
in an automated fashion rather than being manually generated for every audit or
assessment
– Central view into disparate event sources being collected so that security teams can
make decisions more rapidly based upon information collected from a number of
sources
However, in today’s landscape, new requirements need to be taken into account. Attacks
now come not just from vandals or amateurs, but from sophisticated, criminal enterprises
Security teams need to and even nation states. These attackers deploy advanced techniques such as covering
their tracks in log files and minimizing the number of “auditable events.” As such,
quickly determine how traditional SIEM proves insufficient. This requires organizations to take a more advanced
an attack happened, to approach to countering these threats.
measures in place prevent – Advanced threats require enterprise-wide visibility into network traffic and log event
data: neither network traffic data nor log event data alone provides enough information
similar future attacks. to detect and investigate these types of threats
– Security is now a Big Data problem for SOC analysts: SOC analysts now need to delve
into a much larger, dynamic, and diverse set of data to identify advanced threats—which
requires the fusion of internal and external intelligence
– Compromise is inevitable: a realistic goal is not to resist all attacks, but to react fast to
mitigate damage and thus minimize the impact on the business
– Identify malware entering the environment and prioritize actions related to it. Modern
malware looks very much like any other file traversing a network, but full packet capture
allows organizations to isolate and reconstruct executable files, and automate much of
the analysis needed to identify tell-tales signs of malicious intent. This then helps
malware analysts prioritize which issues they need to respond to first.
– Track the lateral movement of an attacker once inside the organization. Once an
attacker has a foothold within an organization, they often move laterally from endpoint-
to-endpoint gathering the necessary information to launch the next stage in the attack.
Since these endpoints are seldom centrally monitored, full network packet capture is
needed to gain visibility into this lateral movement within an organization.
– Prove exactly what happened and what data was exfiltrated. Many advanced threats
will not be detected until the attack is in progress, or even after it has been completed.
At this point, security teams need to be able to assess the damage by reconstructing the
attack and determining what data, if any, has left the organization, and whether it was
encrypted or not.
– A Big Data approach to security management. RSA’s distributed data architecture allows
customers to collect and analyze security data at an unprecedented scale and rate of
change.
– A governance layer that binds security analytics to the business. RSA’s unique portfolio
helps customers streamline the process of gathering information from the business
about critical business processes and systems, and the business requirements for
securing them.
– Infrastructure to support collection without limitations: the ability to collect many types
of security data, at scale and from many types of data sources
– Unified visibility into network and log data: single place to view data about advanced
threats and user activity from data gathered directly from the network or from key
systems
Agile analytics. RSA provides tools that make detailed information available to
investigators in the simplest way possible.
– Platform for performing rapid investigations: intuitive tools for investigation presented
for rapid analysis, with detailed drill down and incorporation of business context to
better inform the decision making process
– Session replay and signature free analytics: tools to hone in on the most suspicious
users and end points connected to your infrastructure and the tell-tale signs of
malicious activity. Also provides the ability to recreate and replay exactly what
happened
Actionable Intelligence. Threat intelligence provided by RSA helps security analysts get
the most value from RSA products by incorporating feeds of current threat information.
– Current threat intelligence correlated with collected data: proprietary intelligence from a
community of security experts, built into our tools and leveraged through rules, reports,
and watch lists to gain insight into threats from data collected from the enterprise
– Prioritized actions based upon business context: incorporation of information from the
business showing the relationship between the systems involved and the business
functions they support
Optimized process management. RSA products help security teams streamline the
diverse set of activities related to preparedness and response.
– Technology and services for full security and compliance lifecycle: a workflow system to
define and activate response processes, plus tools to track current open issues, trends,
and lessons learned. Also provide industry-leading services to help prepare, detect, and
respond to incidents
– Integrated into a security and compliance management system: integration with the
RSA portfolio and third-party tools to exchange information with the wide range of tools
needed to identify and handle incidents and streaming compliance management
RSA provides a unique product portfolio to address the most critical problems of advanced
threats
– With RSA NetWitness® network monitoring, RSA has the only platform which provides
visibility into a full network session and log data from across the enterprise
– With RSA NetWitness monitoring, RSA has the only unified platform for realtime
forensics which includes automated advanced threat and zero-day malware analysis
– RSA NetWitness Live research team tracks over five million IPs and domains and
About RSA
hundreds of unique threat feed sources
RSA, The Security Division of EMC, is
the premier provider of security, risk – RSA updates and dynamically distributes its threat content library every hour through
and compliance management RSA NetWitness Live
solutions for business acceleration.
RSA helps the world’s leading RSA addresses the people, process, and technology challenges of security and compliance
organizations solve their most
– RSA is a leading provider of services to assist with incident preparedness, plus incident
complex and sensitive security
response and cleanup
challenges. These challenges include
managing organizational risk, – RSA has the only solution to support both IT and business aspects of managing security
safeguarding mobile access and through its integration with the RSA Archer eGRC platform
collaboration, proving compliance,
– RSA has the unified platform to support compliance management, security threat
and securing virtual and cloud
management, incident management, and business continuity management
environments.
EMC2, EMC, the EMC logo, RSA, NetWitness, and the RSA logo are registered trademarks or trademarks of EMC
Corporation in the United States and other countries. All other products or services mentioned are trademarks of their
respective companies. ©Copyright 2012 EMC Corporation. All rights reserved. Published in the USA.
www.rsa.com h9093 impsa sb 0412