SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders. In fact, attackers generally take days or less to compromise an organization. The bottom line is that the attackers are winning. Why are attackers so successful? There are several reasons. Attackers are becoming more sophisticated and targeted; they have larger attack surfaces to exploit; existing security controls are failing; and there is a real shortage of skilled security staff. Against this backdrop, organizations need to take their security incident detection, investigation and response capabilities and their Security Operations Centers (SOCs) to the next level. Organizations are at the crossroads right now. Many invested in perimeter -based, preventative controls and log-centric Security Incident and Event Management (SIEM) systems. Unfortunately, that is not enough. Attackers are sneaking past the controls and remain undetected by many SIEMs. Tools, Techniques and Procedures (TTPs) are the methods that attackers are using to target, exploit and compromise organizations. TTPs have become polymorphic and increasingly more sophisticated, mimicking typical users and enterprise behaviors in order to go undetected. For example, phishing attacks typically use covert channels to deliver malware to victims, making it difficult to spot delivery of a malicious payload. 2
The RSA NetWitness Suite provides pervasive visibility, enabling faster detection, investigation and response to security incidents. The RSA NetWitness Suite consists of powerful modular solutions which together deliver threat detection and response capabilities that provide the fastest path to identifying threats regardless of the threat vector. RSA NetWitness Logs and Packets provides security visibility across your infrastructure, from on-premise to public cloud services. By capturing real time data from logs, network packets and NetFlow data, it can then analyze this data using event stream analysis and behavior analysis models, to detect and recognize threats before the adversary can cause any damage. RSA NetWitness Endpoint is an endpoint detection and response tool that continuously monitors assets such as laptops, servers, and virtual machines to provide deep visibility into and powerful analysis of all threats on an organization s endpoints. RSA NetWitness SecOps Manager provides a solution to help better prioritize, investigate and respond to security incidents by automating and orchestrating your people, process and technology in a repeatable way. RSA Advanced Cyber Defense Practice provides services to assess and develop your SOC strategy, readiness and resilience. RSA Incident Response (IR) Practice provides services to help organizations detect and investigate incidents and breaches in order to identify root causes and develop containment and remediation plans. No matter where your organization is with respect to your security operations capabilities, you can leverage the RSA NetWitness Suite and take your organization to the next level to better detect, investigate and respond to security incidents. CURRENT SITUATION Traditional perimeter-based security and SIEMs are not detecting the sophisticated attacker TTPs. As show in the diagram below, there is a white space across their network and endpoints where organizations are most vulnerable. 3
RSA NETWITNESS LOGS AND PACKETS The first step in detecting and recognizing sophisticated attacks is to have complete, pervasive visibility with real-time behavior analytics. Visibility needs to be across: Data Sources Packets, NetFlow and Logs Threat Vectors Endpoint, Network and Cloud RSA NetWitness Logs and Packets provides pervasive visibility across data sources and threat vectors, enriching the raw data with security context at time of capture, and making it valuable for security analysts during detection and investigation of security incidents. Enrichment content is provided by RSA Live. RSA Live is the platform which delivers threat intelligence, business context and out-of-the-box content for parsing data sources, defining alert rules and reporting. Customers can leverage crowd sourced threat intelligence with RSA Live. Event Stream Analysis (ESA) is the analytics engine for the RSA NetWitness Suite. It correlates across data sources to detect and recognize sophisticated attacks before the attacker can achieve their objective. With behavior analytics models, ESA is able to rapidly spot and understand attack behaviors without advanced knowledge of the attack or reliance on signatures, rules, or analyst tuning. For example, ESA can recognize sophisticated threat actors utilizing Command and Control (C2) well in advance of exfiltration of data by detecting anomalies in behavior of domains. RSA NetWitness Logs and Packets is a comprehensive solution that is purpose built for detecting and investigating security incidents. Once an attack is discovered in a customer environment, RSA NetWitness Logs and Packets can be leveraged to reconstruct sessions, and enhance investigations with context from RSA NetWitness Endpoint and other sources to put an effective remediation plan in place. RSA NetWitness Logs and Packets goes above and beyond a traditional SIEM solution. While a SIEM solution is focused on fast ingest and correlation of logs, RSA NetWitness Logs and Packets provides pervasive visibility and analytics across multiple data sources and threat vectors to detect sophisticated attacks. Traditional SIEM vendors are focused on use cases such as compliance or IT operations. RSA NetWitness Logs and Packets is focused on detecting and investigating advanced security threats. 4
For example, a series of attacker actions and a combination of anomalous activities by users and entities could be leading indicators of C2 communications which will require further investigation and counterstrike to stop the attacker. By having access to the right data, profiling attacker TTPs and detecting anomalies utilizing behavior analytics, RSA NetWitness Logs and Packets automates threat detection and response. RSA NETWITNESS ENDPOINT Endpoints, such as laptops, servers and virtual machines, are still major attack vectors that attackers continue to exploit through both malware and file-less attacks, gaining privileged access and moving laterally to finally exfiltrate sensitive data. Organizations need a new breed of endpoint security to combat endpoint threats that have evolved beyond just malware. This requires a different approach from traditional, signature-based endpoint security. By leveraging unique, continuous endpoint behavioral monitoring and advanced machine learning, RSA NetWitness Endpoint dives deeper into endpoints and more accurately and rapidly identifies targeted, unknown and non-malware attacks that other endpoint security solutions miss entirely. As a result, security teams gain the unparalleled endpoint visibility they need to more quickly detect threats they couldn t see before, investigate more thoroughly, drastically reduce threat dwell time and focus their response more effectively to protect their organizations. 5
RSA NetWitness Endpoint offers deeper detection techniques, such as live memory analysis and endpoint state assessment, to uncover all endpoint threats. Threats are rapidly analyzed, prioritized and triaged to help security teams understand the highest risk threats through an intelligent endpoint risk scoring system driven by advanced machine learning and data science. Security teams can respond rapidly to isolate endpoints on the network as well as block and quarantine threats across ALL infected machines in their organization. Additionally, RSA NetWitness Endpoint is seamlessly integrated with RSA NetWitness Logs and Packets to provide security teams with a unified solution for both endpoint and network telemetry. RSA NETWITNESS SECOPS MANAGER A Security Operations Center (SOC) is comprised of people, process and technology. Better orchestration of people, process and technology increases the effectiveness and overall return on investment of the overall SOC program. RSA NetWitness SecOps Manager provides the orchestration and framework for the SOC. It integrates with RSA NetWitness Logs and Packets, RSA NetWitness Endpoint and other third party security monitoring systems, aggregating events/alerts/incidents and managing the overall incident response workflow. 6
The workflow and capturing of incident information is aligned with industry best standards such as NIST, US- CERT, SANS and VERIS. RSA NetWitness SecOps Manager caters to the multiple personas within the SOC from the analysts, incident coordinators, SOC manager and the CISO by providing a view on the overall effectiveness of the SOC program. By leveraging the Incident Response, Breach Response and SOC Program Management capabilities of RSA NetWitness SecOps Manager, an organization can guarantee that the overall security incident response functionality is being managed as an effective, predictable and consistent process. RSA ADVANCED CYBER DEFENSE PRACTICE The RSA Advanced Cyber Defense Practice helps organizations improve their security maturity and posture, and evolve with the threat environment. These services assist organizations to develop strategies and tactics for building and improving their security operations, with a specific focus on the design and optimization of SOCs or incident response teams, as well as the effective use of threat intelligence. RSA INCIDENT RESPONSE The RSA Incident Response Practice is a team of experts focused on helping customers investigate, respond and recover from a security incident or a breach. The team consists of experienced, world-class incident response practitioners leveraging battle-tested processes and specialized technology that can help limit the damage of security incidents and breaches. RSA IR services can be leveraged multiple ways, from breach detection and response to retainer services. INDUSTRY VIEWPOINTS Highlights of the capabilities required to implement an effective security incident detection, investigation and response program are as follows: Network World: The Incident Response Fab Five : 1. Host Monitoring 2. Network Monitoring 3. Threat Intelligence 4. User behavior Monitoring 5. Process Automation Forrester: Security Analytics Is The Cornerstone of Modern Detection and Response: 1. Security analytics platform 2. Comprehensive view of the network 3. Detect data exfiltration 4. Detect the unknown 5. Dedicated FTEs for incident response 7
Gartner: Technology Overview for MSSP Advanced Threat Detection Defense: 1. Network traffic analysis and forensics 2. Visibility to endpoint behavior and forensics. RSA ADVANTAGE The RSA NetWitness Suite is a comprehensive set of solutions and services that improve an organization s overall security effectiveness, through powerful incident detection, investigation and response capabilities. From a solution perspective, RSA NetWitness Logs and Packets, RSA NetWitness Endpoint and RSA NetWitness SecOps Manager are fully integrated, and can also integrate with third party security monitoring systems. From a service perspective, RSA Advanced Cyber Defense services can proactively help an organization assess the gaps in their security operations program and make recommendations to close the gaps from a people, process and technology perspective. RSA IR services can be leveraged when additional help is needed to investigate and respond to security incidents. Organizations are often challenged with the following questions: Are we able to investigate incidents in a timely manner? How do we identify which assets are being compromised and what type of data is involved? What is our strategy for effective incident response? Are we able to show security effectiveness to the C-levels? Are we sufficiently skilled and staffed to detect and respond to targeted attacks? The RSA NetWitness Suite helps answer these questions by providing immediate benefits to an organization through comprehensive visibility, the advanced detection of behavioral anomalies from endpoint to cloud and the acceleration of investigation and response by security team. RSA has the expertise as well as the breadth and depth of solutions and services to have 3X the impact to take an organization s incident response program to the next level. 8 The information in this publication is provided as is. Dell Inc. or its subsidiaries make no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any software described in this publication requires an applicable software license. Copyright 2017 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA, 02/17, Solution Brief, H15849 Dell Inc. or its subsidiaries believe the information in this document is accurate as of its publication date. The information is subject to change without notice.