RSA INCIDENT RESPONSE SERVICES

Similar documents
RSA INCIDENT RESPONSE SERVICES

RSA ADVANCED SOC SERVICES

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

THE EVOLUTION OF SIEM

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

CyberArk Privileged Threat Analytics

FOR FINANCIAL SERVICES ORGANIZATIONS

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

CYBER RESILIENCE & INCIDENT RESPONSE

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

esendpoint Next-gen endpoint threat detection and response

with Advanced Protection

Un SOC avanzato per una efficace risposta al cybercrime

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

SIEMLESS THREAT MANAGEMENT

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Managed Endpoint Defense

MITIGATE CYBER ATTACK RISK

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Are we breached? Deloitte's Cyber Threat Hunting

INTELLIGENCE DRIVEN GRC FOR SECURITY

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Behavioral Analytics A Closer Look

THE ACCENTURE CYBER DEFENSE SOLUTION

Readiness, Response & Resilence:

Reducing the Cost of Incident Response

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

SIEM Solutions from McAfee

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Security. Risk Management. Compliance.

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

WHITEPAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESSDRIVEN SECURITY DETECTING AND RESPONDING TO THE THREATS THAT MATTER MOST TO THE BUSINESS

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

deep (i) the most advanced solution for managed security services

WHITE PAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESS-DRIVEN SECURITY THREAT DETECTION & RESPONSE OPTIMIZED SIEM

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Building Resilience in a Digital Enterprise

RSA Security Analytics

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Cyber Threat Landscape April 2013

SECURITY OPERATIONS CENTER BUY BUILD BUY. vs. Which Solution is Right for You?

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

SIEMLESS THREAT DETECTION FOR AWS

10 FOCUS AREAS FOR BREACH PREVENTION

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Traditional Security Solutions Have Reached Their Limit

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

locuz.com SOC Services

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

MEETING ISO STANDARDS

RiskSense Attack Surface Validation for IoT Systems

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Sage Data Security Services Directory

TRUE SECURITY-AS-A-SERVICE

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Novetta Cyber Analytics

Symantec Security Monitoring Services

Privileged Account Security: A Balanced Approach to Securing Unix Environments

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Vulnerability Assessments and Penetration Testing

May the (IBM) X-Force Be With You

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Sustainable Security Operations

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

NEXT GENERATION SECURITY OPERATIONS CENTER

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

BUILDING AND MAINTAINING SOC

CloudSOC and Security.cloud for Microsoft Office 365

Transcription:

RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access to technical security expertise to assist with identifying and remediating cyber security attacks. Proactive incident discovery assessment and knowledge transfer services are also provided. Early detection and rapid response are the most critical capabilities for targeted attack defense. Many reports indicate that well resourced adversaries consistently bypass traditional security defenses. The issue is less about being able to keep the bad guys out, which is increasingly hard to do on an ongoing basis. It s more about detecting and responding to them as soon as they are in. Once detected, a rapid response is needed to mitigate broader compromise and prevent the attackers from achieving their objectives. RSA s services for incident response enable organizations to respond to security incidents without having to accept the inevitability of loss. ANALYTIC INTELLIGENCE The key to early detection and rapid response Attackers leave clues. The question is whether the victim is able to detect these clues and respond rapidly. RSA s incident response professionals are experts at detecting such clues quickly enough for organizations to get ahead of the threat. As signature and perimeter based defenses have proven inadequate, security professionals need tac- tical insight into activities taking place on their systems. Through the capture and analysis of network and endpoint data using the award winning RSA NetWitness Packets and RSA NetWitness Endpoint, RSA s incident response consultants can proactively gather analytic intelligence, review the overall state of the environment and identify areas of concern, including: Anomalous activities on network and host systems Detection and analysis of adversary tools, tactics and procedures Identification of the assets that may have been targeted RSA s capabilities in incident response includes access to threat intelligence relating to current attacks and campaigns. This also includes the ability to assess the scope of adversary activities and make informed decisions in a timely manner. With the preservation of potential sources of evidence and visibility and context across the enterprise, organizations can develop an intelligence driven program of their own for incident management. The odds to date have consistently been stacked in favor of the adversary, especially when defending against nation state attackers. But by bringing the right expertise to the table, organizations can detect attacks earlier in the incident lifecycle. This puts them in a much better position to protect themselves in a complicated and unpredictable threat environment, which has ranged from cyber crime to cyber espionage; and more recently, even to growing concerns about cyber terrorism. SERVICE DATA SHEET

IR SERVICES PORTFOLIO Proactive response services Working with RSA s Incident Response team, organizations can benefit from the expertise gained through a diverse range of global engagements. The service offerings available include: IR Retainer - the retainer provides for the proactive engagement RSA s IR team for surge access to technical forensics resources provided under accelerated service levels. Deliverables include a Preliminary Analysis Report which scopes the nature of the incident and makes recommendations for a response and mitigation program. IR Discovery - the IR team uses RSA NetWitness Packets and RSA NetWitness Endpoint to proactively hunt for indications of adversary activity. Deliverables include a Findings Report which provides remediation recommendations for any threats that have been identified. IR Response - this service provides rapid access to IR expert boots on the ground when attack activities are suspected. Deliverables include a Findings Report which highlights the scope and nature of the incident and provides recommendations for remediation. IR Jumpstart for Analytic Intelligence - This service enables customers of RSA NetWitness Packets and NetWitness Endpoint to optimize product investments by working hand-in-hand with RSA s IR team to conduct proactive hunting and analysis activities. This service includes knowledge transfer during the hunting and analysis process and is also available on a subscription basis. RSA s IR team has gained first-hand experience in dealing with sophisticated adversaries and targeted attack campaigns. This knowledge and expertise is shared with our customers. Complementing RSA NetWitness with the skills and knowledge transfer from RSA s IR team, organizations can take a significant step towards enhancing their security posture given today s threat environment. RSA IR Discovery Findings Report

THE RSA APPROACH Comprehensive forensic analysis framework The RSA incident response team uses a comprehensive framework to guide its forensic analysis. This ensures that the response process takes into consideration data from multiple sources including in-house systems, open source research, RSA Live threat intelligence and the customer s threat intelligence sources. The approach taken includes: Network Analysis - data from packets and logs collected by RSA NetWitness are used to identify suspicious or risky communications. Sophisticated adversaries tend not to trigger alerts in traditional signature-based security systems. Review of session and packet data is critical for identifying attackers operating in stealth mode. Host Forensics - executables, files and libraries are used to identify unauthorized services and processes deployed by the attacker and running on endpoints. Threat Intelligence - research is conducted to gain insights and harvest intelligence about the adversaries attack infrastructure, tools and techniques. This can be particularly beneficial in profiling actors which are persistently targeting the organization in an ongoing campaign. Malware Analysis - while malware can be very sophisticated it tends to be relatively small in terms of file size, helping the attackers to conceal their efforts and avoid detection. By conducting basic and advanced static and dynamic analysis an incident response team can develop blocking techniques and gather further intelligence to make the organization more resilient against further intrusions. RSA Incident Response Services Forensic Analysis Framework RSA NetWitness Packets Alerting dashboard of anomalies such as phishing attacks, command and control sessions and http anomalies

SETTING THE STAGE FOR DETEC- TION AND ANALYSIS Start by capturing the right data RSA s approach to incident response combined with the use of RSA NetWitness and RSA Endpoint helps organizations to ensure that the right data is being captured so that they can detect and respond to attacks. Advance planning and preparation is key. Initially, consideration is given to the information which accelerates detection and analysis. Examples of the analytic intelligence concepts used by the IR team include: RSA NetWitness Endpoint Machine analysis dashboard Data directionality - by categorizing data such as outbound to Internet organizations can more rapidly detect unusual activity such as beaconing from compromised hosts to outside domains. IP address space - by categorizing RFC 1918 traffic organizations can reduce payload capture, which helps to accelerate the analysis of smaller and more relevant data sets. Session characteristics - by categorizing encrypted sessions organizations can capture meta data without capturing obfuscated payloads, which also helps to accelerate the analysis of smaller and less computationally intensive data sets. Filters and parsers - by applying logic at the time of capture the right meta data can be gathered for enrichment. Correlation templates - by anticipating threat scenarios organizations can proactively generate rules to detect unusual activity such as traffic to suspect locations, privilege escalation and session anomalies relating to http headers, user agents and domain name services. Templates reduce the need for complex syntax development each time a query needs to be run. User Agent anomaly analysis and detection Session beaconing activity detection

BE THE HUNTER Finding the needle in the haystack The asymmetric nature of cyberattacks may make breach prevention seem impossible. Organizations can not anticipate the time and nature of an attack. Yet it is possible to detect anomalies early in the attack cycle and accelerate investigations to identify related tactics such as lateral moves to other IT assets. For example, web shells are frequently used to gain access to a host system, providing the attacker with an initial foothold. Clues which can be used to detect web shell activity include: HTTP request methods such as GET and POST RSA NetWitness Endpoint Command & control exploit detection HTTP header blocks such as version, file paths, host name, user agent and content length By gathering this data organizations can begin to hunt for anomalies: Request anomalies - for example inbound sessions which contain POST methods but without a GET request often associated with command and control exploits. Referrer anomalies - POST sessions without an IP referrer address may be a suspicious malware indicator as human browsing behavior typically includes referrer data. Domain anomalies - the attackers infrastructure often includes legitimate but compromised domains, from which additional instructions and payloads are downloaded. Repeated sessions at evenly distributed time intervals may denote beaconing to compromised domains. Payload anomalies - small and packed files, obfuscated data and encoded strings are potential risk indictors and may merit further investigation. Lateral move detection Phishing detection

PUTTING IT ALL TOGETHER RSA targeted attack detection Protecting an organization s critical assets requires the right combination of technology and expertise. Attackers leave clues at both the network and the host levels, where valuable indicators of activity can be gathered for analysis. Security teams need to look for subtle indications of compromise and risky behavior rather than expect that preventive control mechanisms will succeed in blocking sophisticated adversaries. ABOUT RSA RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime. For more information, go to https://www.rsa.com. RSA NetWitness and RSA Endpoint represent key technologies which provide organizations with the opportunity to gather early signs of compromise. When combined with the skills and knowledge transfer capabilities of RSA s IR team, organizations can begin to retake the high ground and protect the organization s most critical assets. WHY WE ARE BETTER Technical and Operational Expertise RSA s ACD practice represents a team of professionals who have built and managed SOC s around the world, sharing resources and preferred practices with EMC s global Critical Incident Response Center, protecting over 60,000 employees in over 100 countries. The ACD practice includes our IR team which has worked with customers across industry verticals and specializes in technical forensic analysis for targeted attack defense and remediation. LEARN MORE Be the Hunter RSA s portfolio of ACD services enables organizations to evolve from being the hunted to be the hunter and develop the strategies required to navigate the new terrain of targeted attacks. For more information on the RSA s ACD capabilities, which are available on a global basis, please visit the web site: https://www.rsa.com. EMC2, EMC, the EMC logo, RSA, the RSA logo, and Archer are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2016 EMC Corporation. All rights reserved. Published in the USA. 7/16 Data Sheet Incident Response Services. RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice. h14386

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback