RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Similar documents
ForeScout Extended Module for Splunk

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

Un SOC avanzato per una efficace risposta al cybercrime

Abstract. The Challenges. ESG Lab Review Lumeta Spectre: Cyber Situational Awareness

Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

Abstract. The Challenges. ESG Lab Review Proofpoint Advanced Threat Protection. Figure 1. Top Ten IT Skills Shortages for 2016

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

An All-Source Approach to Threat Intelligence Using Recorded Future

Endpoint Security Must Include Rapid Query and Remediation Capabilities

RSA NetWitness Suite Respond in Minutes, Not Months

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

Building Resilience in a Digital Enterprise

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

ForeScout ControlFabric TM Architecture

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

ESG Lab Review RingCentral Mobile Voice Quality Assurance

IBM Data Protection for Virtual Environments: Extending IBM Spectrum Protect Solutions to VMware and Hyper-V Environments

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

i365 EVault for Microsoft System Center Data Protection Manager Date: October 2010 Authors: Ginny Roth, Lab Engineer, and Tony Palmer, Senior Engineer

Next-generation Endpoint Security and Cybereason

Transforming Security from Defense in Depth to Comprehensive Security Assurance

RSA Security Analytics

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Vectra Cognito Automating Security Operations with AI

with Advanced Protection

Abstract. The Challenges. ESG Lab Review InterSystems IRIS Data Platform: A Unified, Efficient Data Platform for Fast Business Insight

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Automating the Top 20 CIS Critical Security Controls

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Lab Validation Report

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

NetApp Clustered Data ONTAP 8.2 Storage QoS Date: June 2013 Author: Tony Palmer, Senior Lab Analyst

Closing the Hybrid Cloud Security Gap with Cavirin

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Combating Cyber Risk in the Supply Chain

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

(TBD GB/hour) was validated by ESG Lab

Mastering The Endpoint

THE EVOLUTION OF SIEM

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

RSA ECAT DETECT, ANALYZE, RESPOND!

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

TRUE SECURITY-AS-A-SERVICE

deep (i) the most advanced solution for managed security services

ESG Research. Executive Summary. By Jon Oltsik, Senior Principal Analyst, and Colm Keegan, Senior Analyst

Managed Endpoint Defense

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

TRAPS ADVANCED ENDPOINT PROTECTION

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Device Discovery for Vulnerability Assessment: Automating the Handoff

Behavioral Analytics A Closer Look

Reducing the Cost of Incident Response

Abstract. The Challenges. The Solution: Veritas Velocity. ESG Lab Review Copy Data Management with Veritas Velocity

Reference Research: Disk-based Storage Capacity Trends Date: September 2012 Author: Bill Lundell, Senior Research Analyst

Securing the Modern Data Center with Trend Micro Deep Security

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

SentinelOne Technical Brief

CyberArk Privileged Threat Analytics

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Fast Incident Investigation and Response with CylanceOPTICS

THE ACCENTURE CYBER DEFENSE SOLUTION

Automation and Analytics versus the Chaos of Cybersecurity Operations

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

Incident Response Agility: Leverage the Past and Present into the Future

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

The Convergence of Security and Compliance

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Symantec Security Monitoring Services

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

SIEMLESS THREAT MANAGEMENT

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

A Simple Guide to Understanding EDR

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

IBM Data Protection for Virtual Environments:

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Security Information & Event Management (SIEM)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

The 2017 State of Endpoint Security Risk

Transcription:

ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents hands-on testing of RSA Enterprise Compromise Assessment Tool (ECAT), a signature-less malware detection tool with a focus on endpoint compromise assessment and monitoring. The Challenges Throughout the history of client computing, endpoint security was really equated with antivirus software installed on Windows PCs. This alone was considered an adequate security control for reducing the risk of infection. However, given the recent onset of APTs, targeted attacks, and zero-day malware, most organizations now realize that antivirus software is no longer enough. Rather, they really need a thorough understanding of endpoint status and behavior as well. Unfortunately, many organizations actually have an incomplete picture of endpoint configurations or activities today. For example, ESG research indicates that one-quarter of respondent organizations claim that they are weakest at monitoring PC endpoints for downloads/execution of suspicious/malicious code, 20% that they are weakest when it comes to monitoring applications installed on each device, and 17% that they are weakest at monitoring suspicious/malicious network activity with PC endpoints (see Figure 1) 1. Figure 1. Weakest Area of Security Monitoring for Endpoint PCs With regard to endpoint PCs (i.e., desktops/laptops), in which area is your organization s security monitoring the weakest? (Percent of respondents, N=315) Operating system configuration, 8% Other, 1% System changes, 11% Don t know, 3% Downloads / execution of suspicious / malicious code, 25% Current patch levels, 14% Suspicious / malicious network activity, 17% Applications installed on each device, 20% Source: Enterprise Strategy Group, 2014. 1 Source: ESG Research Report, Advanced Malware Detection and Protection Trends, September 2013. The goal of ESG Lab reports is to educate IT professionals about data center technology products for companies of all types and sizes. ESG Lab reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objective is to go over some of the more valuable feature/functions of products, show how they can be used to solve real customer problems and identify any areas needing improvement. ESG Lab s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments. This ESG Lab report was sponsored by RSA.

ESG Lab Review: RSA Enterprise Compromise Assessment Tool 2 Why is this important? To paraphrase an old business management adage, You can t secure what you can t measure. As the ESG data points out, many security analysts remain blind to critical system attributes and behavioral monitoring capabilities. When organizations lack visibility into endpoints and their suspicious behaviors or activities, then they aren t able to detect threats quickly enough to prevent prolonged access to their systems by attackers. To overcome this limitation, security professionals need: Actionable intelligence to detect threats faster. Fast and scalable endpoint scans to collect data quickly, even with thousands of agents deployed. The ability to build an ongoing, updated repository of unique elements in the environment so new unknown elements are quickly identified as anomalous. Automation to help focus on suspect activity quickly. The ability to quickly sift through data during investigations and identify infected endpoints. Given the increasingly dangerous threat landscape, many CISOs now recognize the value of early signature-less threat detection. How can organizations detect, investigate, and remediate threats on endpoints faster? This lab report is intended to address this question with an assessment of the RSA Enterprise Compromise Assessment Tool (ECAT). RSA ECAT RSA ECAT is an endpoint threat detection tool that can help organizations detect, analyze, and respond to advanced malware quickly and without reliance on signatures to identify malware. Figure 2. RSA ECAT Architecture RSA ECAT is intended to provide: Signature-less malware detection ECAT uses a signature-less approach designed to identify malware that leverages zero-day vulnerabilities, targeted malware, and advanced threats that can elude signature-based detection. ECAT leverages per-process live memory analysis and inspection of host behavior to detect suspicious activity. Actionable intelligence for rapid breach detection Engineered to provide actionable intelligence to security teams, ECAT can quickly detect and validate compromised machines and correlate results to other infected hosts across an organization. Increased Security Operations Center (SOC) efficiency The SOC or Critical Incident Response Center can use ECAT to gauge the magnitude of an intrusion and reduce incident response time.

ESG Lab Tested ESG Lab Review: RSA Enterprise Compromise Assessment Tool 3 ESG Lab examined RSA ECAT at an RSA facility in September of 2013. The goal of testing was to experience how RSA ECAT gathers data from endpoints to detect threats, and how security teams can leverage the actionable intelligence provided by RSA ECAT to remediate those threats. Figure 3 shows the RSA ECAT summary, which gives a unified view of scan results and reports the overall Machine Suspect Level (MSL) for each endpoint. The MSL is used by analysts to prioritize which endpoints to investigate first. Figure 3. RSA ECAT Scan Results and Endpoint Scoring RSA ECAT gathers data from endpoints to detect threats using signature-less malware detection, which combines perprocess live memory analysis with physical disk inspection to make a comparison between what s on disk and what's running in memory (executables, DLLs, and drivers) to verify that there has been no modification or tampering. Traces of malware activity, such as hooking and code injection, typically occur in memory, and RSA ECAT is designed to make it easy to identify this type of activity. Figure 5 shows a detailed view of the machine with the highest MSL. ECAT uses multiple access methods including raw disk access to get a view of what is on disk below the level where rootkits typically insert themselves. ECAT compares what s found on disk (executables, DLLs, drivers, etc.) with what's running in memory to verify that there has been no modification to or tampering with the code. When the ECAT agent runs a scan of an endpoint machine, it creates a full inventory of that machine. The scan typically takes between five and 20 minutes to complete. Since the agents are independent and run on each scanned system, scans can be performed in parallel. The scan focuses on identifying the code currently running in memory and all of the programs that are configured to run automatically at startup. Executables, DLLs, drivers, services, hooks, and other modules on the machine are identified and reported to the ECAT server for processing and analysis. All network connections are also analyzed and any abnormalities are highlighted. An inventory of all processes running in memory and any unknown files found are sent back to the server and stored in a SQL database. The server analyzes the data and applies what ECAT refers to as suspect levels to each file or memory component that is not already whitelisted. Whitelisting is critical for removing the noise for analysts and helping them focus on the most suspicious elements. On the server side, ECAT automatically checks the vendor signed certificate of files to confirm that the file has not been selfsigned or replaced with an unsigned copy. ECAT also checks the file hash against three hash databases (from Microsoft,

ESG Lab Review: RSA Enterprise Compromise Assessment Tool 4 NIST, and Bit9) to see if the hash has been seen before and is known to be good. This helps the analyst quickly determine if the file should be trusted and can be whitelisted. Users can also add their own custom whitelist hash set. ECAT has an integration with OPSWAT Metascan and Yara Rules can be imported to identify known threats that the analyst doesn t need to waste time investigating. Figure 4. RSA ECAT Whitelisting Whitelisting supports ECAT s core functionality of helping to quickly detect threats that have never been seen before. Once a file has been whitelisted or a known threat has been blacklisted, this information is stored in the ECAT Global Module list. Any time a file in the Global Module list is detected and shown on an incoming scan report, ECAT automatically highlights it in green if it is whitelisted or red if blacklisted, as seen in Figure 4. This helps to clearly highlight any never-before-seen modules and significantly reduces the amount of data that an analyst has to sift through. Analysts can also query the database looking for indicators of compromise using ECAT s faceted filtering and Instant Indicators of Compromise (IOC) functionality, to help analysts quickly focus investigations on the most suspicious activity even with tens of thousands of agents deployed.

ESG Lab Review: RSA Enterprise Compromise Assessment Tool 5 Figure 5 shows a detailed view of a specific endpoint, with suspect processes broken down into categories with suspect behavior. Figure 5. RSA ECAT Endpoint Detail ESG Lab examined data collected from a production ECAT environment and browsed to the ECAT global view to see a summary of all endpoints across the environment. Next, ESG Lab looked at a specific machine, with a relatively high suspect level of 65, to determine what was happening on that particular endpoint. As Figure 5 shows, there were seven categories with a high suspect level. Figure 6. Identifying and Tracking Threats with RSA ECAT System Detail First, ESG Lab clicked on network connections, which showed that explorer.exe was communicating with an IP address outside the corporate network. Since Windows Explorer does not typically generate network traffic, this was a red flag. To provide additional network context, ECAT integrates tightly with RSA Security Analytics, enabling the analyst to pivot from the endpoint view to the network view and investigate logs and packets for the targeted endpoint and across the environment. At this point, ESG Lab looked at the Inline Hooks report, to verify whether there was any anomalous code being executed by explorer.exe. As seen in Figure 7, ECAT shows that when explorer.exe is running in memory, a DLL was infected with an inline code modification, or hook that was executing the JMP instruction, which tells the program to

ESG Lab Review: RSA Enterprise Compromise Assessment Tool 6 look at a specific address in memory for the next instruction. The file that inserted the hook is identified by ECAT as well: fyulu.exe. Figure 7. Identifying and Tracking Threats with RSA ECAT Hooked Module Diagram Clicking on the Code Difference tab shows precisely which code was replaced in the process, as seen in Figure 8. Figure 8. Identifying and Tracking Threats with RSA ECAT Replaced Code This process enables fast, precise identification of the vector and method used by malware. ECAT automatically and clearly shows a level of detail that would typically take hours of manual analysis to decipher, providing fast, actionable intelligence to security analysts. Taking this a step further, once the malicious module (in this case, fyulu.exe) is identified, with a simple right click, the security analyst can see all of the machines across the environment that were scanned and also contain this malicious code. This visibility helps her quickly gauge the potential magnitude of infection, as shown in Figure 9.

ESG Lab Review: RSA Enterprise Compromise Assessment Tool 7 Figure 9. Identifying and Tracking Threats with RSA ECAT Finding All Infected Endpoints Why This Matters ESG Research has shown that many surveyed organizations have at least one weakness when it comes to endpoint configurations or activities today whether it s monitoring PC endpoints for downloads and execution of suspicious code, monitoring applications installed on each device, or monitoring suspicious/malicious network activity with PC endpoints. 2 To overcome these challenges, security professionals need to be able to obtain a comprehensive view of endpoint systems, including system registries, RAM, file systems, and network activity in order to provide guidelines for remediation. Targeted attacks and insider threats often use obfuscation techniques to make their attacks appear like normal network and endpoint activities. RSA ECAT is designed to identify these targeted, advanced threats quickly and definitively, without dependence on pre-identified signatures or lengthy, resource-intensive full scans. ESG Lab has validated that RSA ECAT arms security analysts with the essential details needed to quickly identify endpoint compromises, especially those that have not been previously encountered. This enables faster and more efficient incident response. The level of detail that ECAT automatically provides in clear, easyto-understand language saves security analysts hours of manual analysis deciphering the precise nature and vector of a compromise. Organizations can efficiently scan endpoints for advanced threats and use the data gathered to accelerate response processes and contain security breaches more quickly and completely. 2 Source: Ibid.

The Bigger Truth ESG Lab Review: RSA Enterprise Compromise Assessment Tool 8 ESG research finds many organizations affirming their weaknesses monitoring PC endpoints for downloads and execution of suspicious or malicious code, monitoring applications installed on each device, and monitoring suspicious or malicious network activity. 3 To address this, analysts need the ability to examine critical system attributes and perform behavioral monitoring. CISOs must internalize today s cyber security realities: The cyber criminals are well-funded, highly organized, and technically proficient. Many cyber-attacks easily circumvent existing defenses. Security teams tend to be short-staffed and under-skilled. In many cases, security analysts lack the right level of visibility into what s happening on endpoints and the network. This is an alarming situation but CISOs shouldn t simply panic or invest in the fashionable security technology du jour. Rather, they must take a prudent approach to information security by assessing current capabilities, identifying vulnerabilities, and creating an intelligent future strategy. Yes, security controls for threat prevention will always be part of the plan, but smart CISOs should assume that in spite of the best security defenses, sophisticated threats may still penetrate their networks and endpoints. Addressing this weakness requires a combination of continuous monitoring across IT, intelligent analytics, and ultimately actionable intelligence for minimizing the impact of a security breach. In the past, many organizations eschewed endpoint data capture and analytics, believing that these capabilities were either unnecessary or really meant for defense and intelligence organizations. This may have been an accurate assumption three years ago, but it is no longer the case CISOs need comprehensive endpoint data to address the insidious threat landscape of today. ESG Lab looked at RSA ECAT and found it able to quickly and automatically identify malware leveraging zero-day vulnerabilities, targeted malware, and advanced threats across thousands of endpoints. Compromised endpoints were rapidly identified, as was the specific nature and vector of the compromise. The ability to compare live memory analysis of running processes with their corresponding files on physical disk was particularly compelling because it enabled ECAT to pinpoint advanced exploits that would elude a solution that relied on the OS or file system driver to examine disks. Whitelisting helped remove the noise and made it easier to identify the most suspicious elements, leveraging vendor signed certificates and hash databases (from Microsoft, NIST, Bit9, and custom hash sets) to quickly identify known good files. This helps the analyst quickly determine whether the file should be trusted and can be whitelisted. Many products in this space have different strengths, weaknesses, and capabilities for various types of security needs. ESG Lab believes that RSA ECAT has the features, capabilities, and management functions to satisfy most enterprise organizations requirements for actionable endpoint intelligence and rapid threat detection, and it deserves a closer look. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188. 3 Source: Ibid.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback