RSA SECURITY ANALYTICS Network Monitoring & Forensics

SECURITY TEAMS NEED MORE FIREPOWER Today's threats are multi-faceted, dynamic and stealthy. The most dangerous

attacks have never been seen before, rendering signature-based technologies

ineffective. These threats often don't leave a footprint in logs, so security teams

must augment their existing security technologies with network packet-based

detection and investigations. To be effective, today's tools need to be able to

handle the most current threats and handle issues like:

Lateral movement of threats as they gain foothold

Covert characteristics of attack tools, techniques & procedures

Use of non-standard communication tools

Exfiltration or sabotage of critical data

To raise their game security teams need more effective threat detection and need

to conduct investigations significantly faster. This includes the ability to look at all

this data with the minimum amount of manual effort, detect abnormal activity,

analyze potential threats, and do a more detailed investigation of those threats

that pose the biggest risks. When seeking more clarity and definitive answers to

the most challenging security questions, security teams need a deeper level of

detail and the agility to quickly examine application layer sessions and events in a

way that is easy to comprehend and this needs to be done in a matter of

minutes, not hours or days.

RSA Security Analytics for Network Forensics

DEEP VISIBILITY DRIVES DETECTION RSA Security Analytics captures and enriches full network packet data alongside

other data types, like NetFlow, logs and endpoint data. RSA Security Analytics is

a security solution with a flexible, modular approach allowing you to choose the

full solution or to augment your existing security technologies with just network

packet-based detection and investigation capabilities. DATA SHEET

AT A GLANCE

Augment your existing SIEMs

capabilities with better

visibility, analysis and

workflow.

Discover attacks missed by

other tools

Inspect every packet session

for threat indicators at time of

collection with capture time

data enrichment

Instantly pivot from incidents

into network packet detail to

perform network forensics and

understand the true nature and

scope of the issue

RSA's Network Forensic and Monitoring solution:

Performs data enrichment at the time of capture. It uses the solution's

patented metadata framework to organize the data in a clear and navigable

way. The metadata framework is based on a lexicon of nouns, verbs and

adjectives characteristics of the actual application layer content and

context parsed by Security Analytics at the time of capture. The metadata

from the packets is normalized so the analyst can focus on the security

investigation instead of data interpretation.

Executes rapid, deep investigation into network data. Having full

network packet data allows you to readily reconstruct exactly what happened.

With RSA Security Analytics this happens instantly since the network raw data

is tagged at the time of capture for rapid retrieval in the event of an

investigation, rather than the slow reconstruction of that data when

investigating a problem, when time is at a premium. In addition, the incident

management capability built into RSA Security Analytics lets investigators

collaborate, annotate and manage response activities around a particular

issue.

Automatically updates with latest threat intelligence. RSA Security

Analytics includes hundreds of parsers, plus dozens of correlation rules and

feeds that detect the most current threats. RSA automatically delivers this

threat intelligence to customers and embeds it into their systems. Therefore,

users are able to more easily take advantage of what others have already

found and spend less time building their system to identify threats that exist

in their own environment.

CAPTURE TIME PACKET DATA ENRICHMENT MAKES DETECTION AND INVESTIGATIONS FASTER AND EASIER

RSAs security approach is akin to removing the hay (of known good) until only

needles (likely bad issues) remain, as opposed to traditional security approaches

which attempt to search for needles in a giant haystack of data. To achieve this,

RSA performs deep data enrichment right at the time of capture making it much

faster and more valuable for analysis in the midst of an investigation. This

includes additional context, such as asset criticality, vulnerability data, risk level,

event type, event source, device information, IP information, and configuration

data expressed in over 175 different metadata fields. The figure below shows a

sample of session characteristics captured by RSA Security Analytics.

UNIQUE DISTRIBUTED ARCHITECTURE FOR SCALABILITY

RSA Security Analytics unique architecture allows organizations to collect and

analyze large amounts of data and expand linearly. The federated infrastructure

allows organizations to scale, while still maintaining the ability to analyze and

query seamlessly across the system. In order to enable application layer traffic in

real-time at high data rates, the capture infrastructure must scale out as well as

scale up. The distributed and hierarchical nature of the Security Analytics

infrastructure enables an organization to incrementally add data collection,

analysis, and archiving as-needed. In higher throughput environments, the ability

to separate primary read and write-to-disk functions allows Security Analytics to

maintain both high capture rates as well as fast analytic response times.

FLEXIBLE INTEGRATION

Integrate with your existing SIEM implementation by using RSA Security

Analytics open API to extend the value. This gives you the ability to easily

investigate alerts found in your existing SIEM using RSA Security Analytics, or

forward alerts from RSA Security Analytics to your SIEM or other tool.

RSA Security Analytics also has the ability to combine your existing SIEM alerts

with RSA Security Analytics alerts in the Incident Management console. This gives

analysts the ability to aggregate alerts across tools into security incidents, which

then are prioritized for a much more informed and efficient response.

EMC2, EMC, the EMC logo, and RSA are registered trademarks or trademarks of EMC

Corporation in the United States and other countries. VMware is a registered trademark or

trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2014 EMC

Corporation. All rights reserved. Published in the USA. 08/14 Data Sheet H13416

EMC believes the information in this document is accurate as of its publication date. The

information is subject to change without notice.

CONTACT US

To learn more about how EMC

products, services, and solutions can

help solve your business and IT

challenges, contact your local

representative or authorized reseller

or visit us at www.emc.com/rsa.