THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1
Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security operations Compliance solved, but breaches causing business damage are on the rise Limited detection due to reliance on logs from preventative controls & signatures Weak at investigation & incident response. Hard to find full scope of attack 2
IS YOUR SIEM FINDING THE ATTACKS THAT REALLY MATTER? 3
A LOGS-ONLY APPROACH TO SIEM ISN T WORKING 99% Percent of successful attacks went undiscovered by logs 4
HOW MUST SIEM EVOLVE? 5
AN EVOLVED SIEM SHOULD PROVIDE Full Visibility Deep Analytics Insight into the Attack Scope Eradication of Threats Visibility across Endpoints, Networks, Logs, VMs and the Cloud combined with threat intelligence and business context Multiple sets of analytic techniques: Behavioral, Data Science Modeling and Machine Learning Validation of incidents with Endpoint and Cloud visibility and analysis Enable security teams to act and mitigate the full attack before it can impact the business Consumption and transformation of data into actionable threat metadata Processing of large volumes of data for complete threat detection Accelerate Security Orchestration to understand the full scope of an attack 6
INTRODUCING A NEW TYPE OF SIEM: RSA NETWITNESS SUITE Visibility LIVE Analysis LIVE Action Cloud On Prem PACKETS LOGS ENDPOINT NETFLOW Intelligence & Context Tagging Enrich Real Time Detection LIVE Behavior Analytics Archiving FLEXIBLE INTEGRATION (API) Incident Management Investigation Advanced Analytics Compliance Reporting Session Reconstruction Endpoint Analysis RSA LIVE Threat Intel Biz Context Rules Parsers Reports Feeds Powered by RSA Research, Incident Response, Engineering & Community 7
DIFFERENT DATA == DIFFERENT ANSWERS What was Targeted? LOGS Alerts from Security Tools Windows & Linux Authentications Proxy Logs Did the Attacker Move Internally? Did the Exploit Occur and What Left the Network? NETFLOW PACKETS Lateral Movement Attempts Scanning Internal Network Beaconing and Suspicious Communications Command & Control Traffic Recreate Files that Traversed the Network Enterprise Visibility Does the Attacker Still Have A Foothold? ENDPOINT Time / Date Stomping Indicators about Malicious Files, Code, and Processes Scope of Infection RSA NetWitness Consumes and Normalizes ALL Available Threat Data Before Analyzing to Deliver Faster, More Accurate Results 8
RSA NETWITNESS ARCHITECTURE Capture, Process & Store (Decoder) Index & Query Metadata (Concentrator) Distributed query (Broker) Analytics, Correlation, Alerting (Event Stream Analysis) Alerting, Reporting, Investigation (NetWitness Application Server) 9
REINVENT THE ANALYST EXPERIENCE RESPOND Prioritize Incident Triage & Response with Incident Risk Score Reveal advanced attacks regardless of detection method with Incident Storyline Visual, nodal representation of Incident that Analyst can interact and pivot with. Collaborate with Incident Journal 10
{ { { REINVENT THE ANALYST EXPERIENCE INVESTIGATE Quick extraction of only necessary data Toggle layout including payload compression Toggle through sequential list of events Association between Meta and RAW text Distinguish certain bytes Base64, URL decoding Event List RAW Text Meta Data Single Combined View 11
ATTACKERS QUICKLY TURN COMPROMISES INTO BREACHES Minutes Hours Days Weeks Months Initial compromise Breach Breach Detected Spear Phishing Attack Malware Installed Communicate to External Server (C2) Lateral Movement Discover Critical Assets Data Exfiltration 3 rd Party Detection Breach Detected compromised in 82% MINUTES 99% of exfiltration occurred in DAYS discovered in 64% MONTHS 12
RSA NETWITNESS SUITE: AN ENTERPRISE-CLASS EVOLVED SIEM More than 400 supported devices OOTB Collection methods: syslog, Flat Files, SNMP, ODBC, Windows Agentless Cloud & API collection: VMWare, AWS, Azure, and Office 365 Configurable retention & BYO storage Easily configured correlation rules w/ ESPR support Compliance reporting for: HIPPA, ISO 27002, PCI, and many more Incredibly flexible deployment options w/ Virtual Log Collectors 13
THANK YOU 14