-
Managing Advanced Threats
by RSA SIEM, NAV, and DLP solutions
David Mateju, Senior Technology Consultant
RSA, The Security Division of EMC
[email protected]
-
2
1
Phishing emails
John receives a phishing email that was customized for
him.
-
3
1
Phishing emails
John receives a phishing email that was customized for
him.
-
4
2
Drive-by download
John clicks on the link and gets infected by Trojan
from drive-by download. Johns machine
-
5
Attacker gains access to a critical server
Trojan installs backdoor which allows reverse connection to
infected machine
Hacker dumps password hash and gains
access to a critical server via RDP.
3
RDP
PASSWORD
Johns machine
Critical Server
-
6
Data ex-filtration
Attacker encrypts sensitive files found on the critical server
and transfers out
via FTP
4
External Server
-
7
DLP detects file transfer activity (RSA Data Loss
Prevention)
DLP Network detects a
transfer of encrypted file
over FTP protocol
-
8
Correlation alert triggered from SIEM (RSA enVision)
RSA enVision generates alert from two
correlated events
1. Successful RDP connection to
critical server
2. DLP activity on the same server
-
9
Incident escalation to SOC and/or GRC dashboard (RSA Archer
eGRC)
RSA enVision alerts sent to RSA Archer via RCF
RSA Archer links this incident with business context and
prioritize it as HIGH
priority
-
10
Seamless integration to NAV (RSA NetWitness)
Instant integration from Archer Console to NetWitness with two
clicks
SIEMLink transparently retrieves full session detail from
NextGen
-
11
Spectrum Automated Malware Analysis
Spectrum instantly provides detailed analysis
of the executable file in question
-
12
Interactive Analysis with Investigator
Context of all network activities
to/from critical server
Confirm Johns machine (192.168.100.142) as source of RDP
session
-
13
Interactive Analysis with Investigator
Small executable file
Transfer over HTTP
Suspicious filename & extension
Malware?!?
Drill into all network sessions from Johns machine
Suspicious domain name
-
RSA enVision SIEM Platform
(also for Cisco network and security
devices)
-
15
RSA enVision 3-in-1 SIEM Platform
servers storage applications
/ databases
security
devices
network
devices
Simplifying
Compliance
Compliance reports
for regulations and
internal policy
Auditing Reporting
Enhancing
Security
Real-time security
alerting and analysis
Forensics Alert /
correlation
Optimizing IT &
Network Operations
IT monitoring across
the infrastructure
Visibility Network
baseline
Purpose-built
database
(IPDB) RSA enVision Log Management platform
-
16
Simplifying Compliance Robust Alerting & Reporting
1400 reports+ included out of the box
240+ devices supported out of the box
Easily customizable
Grouped according to standards, e.g.
National Laws (SOX, Basel II, JSOX),
Industry Regulations (PCI), Best
Practices & Standards (ISO 27002, ITIL)
-
17
Cisco RSA enVision Integrations
High quality integrations due to Cisco and RSA
partnership
Sharing of roadmaps, log/event knowledge Optimized log/event
parsing, correlation rules, and reports
20+ Cisco devices supported by RSA enVision
Latest versions for Security, Networking, Wireless and
Virtualization products
Cisco updates supported by RSA typically within 1 quarter of
production release
enVision product infrastructure designed to be able to easily
add Cisco devices
-
18
Cisco RSA enVision Integrations
RSA enVision - MARS integration highlights
Capture all 100+ MARS alerts and correlate them with other
devices & applications throughout your infrastructure OR
Send all raw logs from MARS Archives to enVision for
processing
-
19
RSA enVision Enhances Ciscos Security Capabilities
RSA enVision improves Ciscos security visibility
Correlates alerts from Cisco devices with information across
other event streams to improve protection of business critical data
and
assets
Includes event streams from applications, databases, data loss
prevention systems, physical and virtual servers, etc.
Provides an interface to investigate issues Cisco devices
identify
Logs and events from Cisco devices captured by
enVision enable numerous use cases, e.g.:
Latest IPS reputation scoring Location aware access monitoring
& alerting (via Cisco MSE) CS MARS & ASA Botnet detection
Proactive views on Web Security Gateways
-
20
Use Case: Security Incident Classification (Leverages Cisco IPS
reputation score)
Cisco IPS 7.0 detects
negative reputation
score signatures
RSA DLP detects information
leaving network Analyst investigates
malware outbreak
DLP tells you if
confidential data lost
as a result
Without enVision to
correlate Cisco IPS and
DLP events
Analyst needs training in 2 products
No single pane of glass to get full picture
Without DLP
True impact of malware infection not
known
Without Cisco IPS
Slower detection of malware outbreak
More resource-intensive investigation
DLP Network
-
21
Example of RSA enVision SOC Dashboard
-
22
RSA enVision In Action At a EMC CIRC EMC Critical Incident
Response Center
-
23
Sample Compliance Reports PCI: Cisco router config changes;
Cisco ASA top sources
-
24
Example ASA Reports
-
25
Cisco - RSA enVision Solution Benefits
Reduce security
risk
Prioritize incidents by correlating threats
with data sensitivity
Identify threats more quickly with smarter
correlation based on
location
Simplify
Compliance
Map Cisco data (plus other compliance-
relevant data, e.g. server
logs) back to specific
standards & regulations
1300+ reports out-of- the-box
Optimize IT
Operations
Audit security changes, enforce
compliance
Ease troubleshooting via global view into
network logs / events
-
RSA NetWitness for Network Analysis
and Visibility (NAV)
-
27
Know Everything. Answer Anything.
Why are packed or obfuscated executables being used on our
systems?
What critical threats are my Anti-Virus and IPS/IDS missing?
I am worried about targeted malware and APTs -- how can I
fingerprint and analyze these activities in my environment?
We need to better understand and manage the risks associated
with insider threats I want visibility into end-user activity and
to be alerted on certain types of behavior?
On our high value assets, how can we have certainty that our
security controls are functioning exactly as implemented?
How can I detect new variants of Zeus, Flame, Citadel or other
zero-day malware on my network?
We need to examine critical incidents as if we had an HD video
camera recording it all
-
28
Understanding the RSA NetWitness Network Monitoring Platform
Network
traffic
Logs
Fusion of Threat Intelligence
Normalized Data, Application Layer Context
-
29
Automated Analysis, Reporting and Alerting
Informer Flexible dashboard, chart and
summary displays for unified view of
threat vectors
Automated answers to any question: Network Security Security /
HR Legal / R&D / Compliance I/T Operations
HTML, CSV and PDF report formats included
Supports CEF, SNMP, syslog, SMTP data push for full integration
in SIEM
-
30
Getting Answers to the Toughest New Questions
Interactive data-driven session
analysis of layer 2-7 content
Award-winning, patented, port
agnostic session analysis
Infinite free-form analysis paths and
content /context investigation points
Data presented as the user
experienced (Web, Voice, Files,
Emails, Chats, etc.)
Supports massive data-sets
Instantly navigate terabytes of data - analysis that once
took
days, now takes minutes
Freeware version used by over
50,000 security experts worldwide
Investigator
-
31
Automated Malware Analysis and Prioritization
Spectrum Identify the widest spectrum of
malware-based attacks Gain insight into attacks missed by
both
traditional and modern approaches to
malware protection
Analyze attacks by utilizing a wide spectrum of
investigation
techniques Combine four distinct investigation
techniques
Automatically answer thousands of questions about the behavior
of files
Increase the speed and accuracy of investigations
-
32
A New Way to Look at Information
Revolutionary visual interface to
content on the network
Extracts and interactively presents images, files,
objects, audio, and voice
for analysis
Supports multi-touch, drilling, timeline and
automatic play browsing
Rapid review and triage of content
Visualize
-
33
Nonstop 24x7 Threat Intelligence Delivery System
Live Automate insight into advanced threats
Leverages global security community to
correlate and illuminate the most
pertinent information
Fuses intelligence with your network data
at the time of capture
Solutions to problem-sets:
Advanced threats Malware BOTNets Policy/Audit Enterprise
Monitoring Fraud User Attribution Risk prioritization
Prioritized and detailed reporting
-
34
RSA enVision SIEM Integration
-
35
RSA DLP Integration
SIEM Link
-
36
