<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>

Size: px

Start display at page:

Download "<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>"

David Eustace Dixon
6 years ago
Views:

1 <Partner Name> <Partner Product> RSA NETWITNESS Intel Feeds Implementation Guide Kaspersky Jeffrey Carlson, RSA Partner Engineering Last Modified: December 19 th, 2017

2 Solution Summary Kaspersky Lab offers continuously updated Threat Intelligence Data Feeds to inform customers about risks and implications associated with cyber-threats, helping to mitigate threats more effectively. The following feeds are available: IP Reputation Feed IP addresses with context covering suspicious and malicious hosts Malicious and Phishing URL Feeds URL masks with context covering malicious and phishing links and websites Botnet C&C URL Feed URL masks covering desktop botnet C&C servers and related malicious objects Mobile Botnet C&C URL Feed URLs with context covering mobile botnet C&C servers Malicious Hash Feed File hashes with context covering the most dangerous, prevalent and emerging malware Mobile Malicious Hash Feed File hashes with context for detecting malicious objects that infect mobile Android and iphone platforms P-SMS Trojan Feed Trojan hashes with context for detecting SMS Trojans enabling attackers to steal, delete and respond to SMS messages, as well as ringing up premium charges for mobile users. Every record in each Data Feed is enriched with actionable context (threat names, timestamps, geolocation, resolved IP addresses of infected web resources, hashes, popularity, etc.). Kaspersky is a high-performance solution that provides matching data in source event logs against Kaspersky Lab Threat Data Feeds. Indicators of compromise (IOCs) from Kaspersky Lab Threat Data Feeds are not loaded into your SIEM instance, and instead are processed by Kaspersky in a separate offline process running on your infrastructure. Since the task of matching events against a large number of IOCs is offloaded, your SIEM instance incurs a minimal performance hit. In case of a match, rich contextual information about the incident is passed to the SIEM instance and displayed in the dashboard

3 -- 3 -

RSA NetWitness Configuration Configuring RSA NetWitness for Communication with Kaspersky Threat Feed Service Configuring of communication between Kaspersky and RSA NetWitness involves the following

RSA NetWitness Event Source Events RSA Log Decoder Events Detects Kaspersky Configuring RSA NetWitness to forward events to Kaspersky Threat Feed Service To forward events from RSA NetWitness to

4 RSA NetWitness Configuration Configuring RSA NetWitness for Communication with Kaspersky Threat Feed Service Configuring of communication between Kaspersky and RSA NetWitness involves the following stages: Configuring RSA NetWitness to forward events to Kaspersky. Configuring RSA NetWitness to receive events from Kaspersky. Configuring and starting Kaspersky. RSA NetWitness Event Source Events RSA Log Decoder Events Detects Kaspersky Configuring RSA NetWitness to forward events to Kaspersky Threat Feed Service To forward events from RSA NetWitness to Kaspersky, perform the following steps: 1. In the RSA NetWitness main window, select Administration > Services. 2. In the Services table, select the relevant Log Decoder (the Log Decoder that receives events containing URLs, hashes, or IP addresses)

Select the App Rules tab and click the Add button ( ). The Rule Editor dialog box opens. 5. Specify the following data: Rule Name: ktfs Condition: "device.type='%device_name_1%' device.

5 Note: If more than one Log Decoder is used for receiving events, repeat the following steps for each Log Decoder. 3. For the selected Log Decoder, in the Actions column, click the Settings ( ) split button and in the drop-down list select View > Config. 4. Select the App Rules tab and click the Add button ( ). The Rule Editor dialog box opens. 5. Specify the following data: Rule Name: ktfs Condition: "device.type='%device_name_1%' device.type='%device_name_2%'" Substitute %DEVICE_NAME_1% and %DEVICE_NAME_2% with the names of the devices whose events must be forwarded to Kaspersky. For more information on how to create RSA rules, refer to Rule and Query Guidelines in the RSA NetWitness product documentation. Select the Forward and Alert check boxes

6 6. Click OK. 7. Click and select View > Explore. 8. For the /decoder/config/logs.forwarding.destination parameter, specify the destination: ktfs=tcp:%ip%:9999 Substitute %IP% with the IP address of the computer on which Kaspersky Threat Feed Service will be installed. By default, Kaspersky uses port 9999 to receive events. 9. For the /decoder/config/logs.forwarding.enabled parameter, specify true

7 After these actions are performed, RSA NetWitness will forward events that meet the ktfs rule to the %IP%:9999 address

8 Configuring RSA NetWitness to receive events from Kaspersky Threat Feed Service To send Kaspersky events (that match some records in Data Feeds) to RSA NetWitness, perform the following steps: 1. Download and deploy Kaspersky for RSA NetWitness. Kaspersky Threat Feed Service is available as an RPM package or as a TAR archive, depending on your preference. Note: The public version of Kaspersky for RSA NetWitness contains a certificate for the demo version of Kaspersky Threat Data Feeds. To obtain a certificate for the commercial version of Kaspersky Threat Data Feeds, contact the Kaspersky Cybersecurity Service team (intelligence@kaspersky.com). 2. In the deployed package, go to the /integration folder that contains the parser files and export package for rules and dashboards. 3. In the /etc/netwitness/ng/envision/etc/devices directory (of your SIEM instance), create a ktfs subdirectory and copy the following files (from the Kaspersky for RSA NetWitness distribution kit) to this subdirectory: ktfs.ini -- Configuration file (/integration/ktfs) that contains declaration of Kaspersky for RSA NetWitness. v20_ktfsmsg.xml -- Configuration file that contains parsing rules for events that are sent from Kaspersky to RSA NetWitness. 4. Restart the RSA NetWitness Log Decoder. For this purpose, in the Administration/Services table, for the selected Log Decoder, click and select Restart from the drop-down list. Note: Once restarted, make sure that ktfs parser is enabled in the Service Parsers Configuration list of RSA NetWitness Log Decoder

9 In the v20_ktfsmsg.xml file, the format of events from Kaspersky is provided in the HEADER/content element and in the MESSAGE/content element. Make sure that all the fields mentioned in the MESSAGE/content element (except context and msg) are present in the index files of RSA NetWitness Log Decoder and Concentrator (indexlogdecoder-custom.xml and index-concentrator-custom.xml). Also, make sure that the value of the flags attribute is None for each of these fields in the tablemap-custom.xml file. The table in Appendix A describes the fields used in the v20_ktfsmsg.xml file. Configuring and starting Kaspersky Kaspersky for RSA NetWitness sends two types of events: alert messages (for example, KL_ALERT_ServiceStarted) detection messages (in case there is a match with Threat Data Feeds) To configure Kaspersky for sending events to RSA NetWitness, perform the following steps: 1. In the Kaspersky configuration file kl_feed_service.conf, specify the following value in the "OutputSettings/ConnectionString" element: <ConnectionString>%IP%:514</ConnectionString> Substitute %IP% with the IP address of the computer on which RSA NetWitness Log Decoder is installed. Note: The system administrator who configures Kaspersky Threat Feed Service must be familiar with Kaspersky documentation

10 2. Restart Kaspersky. You can do this by running the kl_feed_service script as follows: <KTFS_dir>/etc/init.d/kl_feed_service restart Once Kaspersky Threat Feed service has been properly configured, RSA NetWitness analysts will see events originated from the Kaspersky threat Feed Service in the RSA NetWitness Investigator (device.type = ktfs ), as it is shown in the figure below. The RSA NetWitness interface can also be customized with dashboards that are relevant to the Kaspersky :

12 Certification Checklist for RSA NetWitness Date Tested: April 4 th, 2017 Certification Environment Product Name Version Information Operating System RSA NetWitness Virtual Appliance Kaspersky and higher SaaS Security Analytics Test Case Investigation Threat Intelligence Feed is received through Decoder Meta Threat Intelligence Feed is received through Packet Decoder Result = Pass = Fail N/A = Non-Available Function

13 Appendix A Field action msg virusname url checksum daddr saddr hostip event_source c_username context Description Kaspersky alert event (for example, KL_ALERT_ServiceStarted). Additional information about the Kaspersky alert event. Category of the object detected in Kaspersky. URL specified in the event forwarded by RSA NetWitness. Hash specified in the event forwarded by RSA NetWitness. Destination IP address value specified in the event forwarded by RSA NetWitness. Source IP address value specified in the event forwarded by RSA NetWitness. Device IP address value specified in the event forwarded by RSA NetWitness. Name of the device that has sent the event (specified in the event forwarded by RSA NetWitness). Name of the user on whose account the activity specified in the event is performed. Context of the feed record that was involved in the detection process

<Partner Name> <Partner Product> RSA NETWITNESS Logs Implementation Guide. Exabeam User Behavior Analytics 3.0

<Partner Name> <Partner Product> RSA NETWITNESS Logs Implementation Guide. Exabeam User Behavior Analytics 3.0 RSA NETWITNESS Logs Implementation Guide Exabeam Daniel R. Pintal, RSA Partner Engineering Last Modified: May 5, 2017 Solution Summary The Exabeam User Behavior Intelligence