IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Solution Brief

RSA Solution Brief

SUMMARY

New security threats demand a new approach to security management. Security teams

need a security analytics architecture that can handle a much greater volume and wider

scope of data than at present, not to mention provide them with tools to lead them

quickly to the most pressing issues. They need threat intelligence about the latest tools,

techniques, and procedures in use by the attacker community, and the ability to track

and manage the responses initiated as a result of the issues they identify.

TRADITIONAL SECURITY ISN’T WORKING

According to the 2012 Verizon Data Breach Investigations report, 99 percent of breaches

led to data compromise within “days” or less, whereas 85 percent of breaches took

“weeks” or more to discover. This presents a significant challenge to security teams as it

grants attackers extended periods of time within a victim’s environment. More “free time”

leads to more stolen data and more digital damage.

Principally, this is because today’s security measures aren’t designed to counter today’s

more advanced threats. Traditional security measures are often:

– Signature-based: looking for “known bad” data sequences based upon previous

identical attacks

– Perimeter oriented: concentrating on preventing or detecting threats entering the

organization

– Compliance driven: designed to meet the requirements of auditors, or specific

government mandates, rather than addressing the biggest risks to the organization

Simultaneously, threats are becoming exponentially more advanced.

The threats often seen today are:

– Agile: they anticipate the means organizations use to protect themselves and use

adaptive techniques to evade many common detection and prevention systems

– Focused: today’s threats often have very specific goals, perhaps targeting a narrow class

of organization, or even one organization

– Intelligent: they use a wide range of social engineering techniques and technical

exploits to gain a foothold within victim organizations and avoid detection

This means that organizations need to start thinking differently about the tools they

deploy and the techniques they use to defend themselves.

page 2

99 percent of breaches led

to data compromise within

“days” or less, whereas

85 percent of breaches

took “weeks” or more to

discover.

2012 Verizon Data Breach Investigations report

Nation State Actors

Petty criminals

Terrorists

Organized crimeUnsophisticated Organized, sophisticated

supply chains (PII, financial services, retail)

PII, government, defense industrial base, IP rich organizations

PII, government, critical infrastructure

Anti-establishment vigilantes

“Hacktivists”, targets of opportunity

Non-state Actors

Criminals

Rapidly Evolving Threats

RSA Solution Brief

TRADITIONAL SIEM HAS BEEN A GOOD START

RSA has long been a provider of industry-leading Security Information and Event

Management solutions, and believes that traditional SIEM systems have been valuable in

providing:

– Reporting on device activity providing key insights into who, what, where, and when

critical activities are taking place

– Basic alerting on known sequences through correlation rules, that can draw attention to

the most egregious or suspicious uses of computing resources

– Proof of compliance for internal and external auditors through regular reports, created

in an automated fashion rather than being manually generated for every audit or

assessment

– Central view into disparate event sources being collected so that security teams can

make decisions more rapidly based upon information collected from a number of

sources

However, in today’s landscape, new requirements need to be taken into account. Attacks

now come not just from vandals or amateurs, but from sophisticated, criminal enterprises

and even nation states. These attackers deploy advanced techniques such as covering

their tracks in log files and minimizing the number of “auditable events.” As such,

traditional SIEM proves insufficient. This requires organizations to take a more advanced

approach to countering these threats.

ORGANIZATIONS NEED MORE EffECTIVE SECURITY MANAGEMENT SOLUTIONS

In this world of advanced threats, security teams need to quickly determine how an

attack happened, to reduce the “attacker free time”—the time between the attacker

entering the environment and being detected in the infrastructure—and to put measures

in place prevent similar future attacks. Given this, RSA believes organizations need a

more effective platform that addresses more security management problems since:

– Advanced threats require enterprise-wide visibility into network traffic and log event

data: neither network traffic data nor log event data alone provides enough information

to detect and investigate these types of threats

– Security is now a Big Data problem for SOC analysts: SOC analysts now need to delve

into a much larger, dynamic, and diverse set of data to identify advanced threats—which

requires the fusion of internal and external intelligence

– Compromise is inevitable: a realistic goal is not to resist all attacks, but to react fast to

mitigate damage and thus minimize the impact on the business

Page 3

Security teams need to

quickly determine how

an attack happened, to

reduce the “attacker free

time”—the time between

the attacker entering

the environment and

being detected in the

infrastructure—and put

measures in place prevent

similar future attacks.

RSA Security Management

and Compliance

RSA Solution Brief

To this end, experienced security practitioners are asking RSA to help them:

– “Collect everything that’s happening in my infrastructure.” Previous approaches to

security have depended on using information about known threats to make decisions

about which data to collect about what is happening within the environment. With more

agile, advanced threats, making those assumptions ahead of time makes it is likely that

when the threat arises, the security teams won’t have all the information needed to

respond properly. This means that in today’s environment, security teams want to collect

everything about what is going on.

– “Help me to identify key targets and threats.” In a large, complex IT infrastructure, it is

difficult to keep track of what each system does and the ways in which it might be

attacked. Security teams need a way to interface with the business to identify the most

critical information, business processes, and supporting assets, to best assess the

threats the organization faces.

– “Enable me to investigate and prioritize incidents.” Also in a large, complex IT

infrastructure, there are often so many issues to deal with that security teams need

more guidance around identifying the most pressing issues, and which ones could have

the highest impact to the business. This means having more information about the

business context of incidents and the criticality of systems and processes they affect.

– “Enable me to manage those incidents.” Responding to incidents can be a tricky affair—

from assessing the damage, to communication, to remediation and cleanup requiring

the coordination of resources across a wide range of teams, both within IT and across

the business. Security teams need a way to kickoff and coordinate these activities to

minimize the adverse impact on the business.

fULL NETWORK VISIBILITY IS A MUST

The most advanced threats can be extremely difficult to detect. Often, their most visible

footprint is on the network as they enter into the IT environment, propagate throughout

and exfiltrate data to its intended destination. As such, full network packet capture is

necessary to:

– Identify malware entering the environment and prioritize actions related to it. Modern

malware looks very much like any other file traversing a network, but full packet capture

allows organizations to isolate and reconstruct executable files, and automate much of

the analysis needed to identify tell-tales signs of malicious intent. This then helps

malware analysts prioritize which issues they need to respond to first.

– Track the lateral movement of an attacker once inside the organization. Once an

attacker has a foothold within an organization, they often move laterally from endpoint-

to-endpoint gathering the necessary information to launch the next stage in the attack.

Since these endpoints are seldom centrally monitored, full network packet capture is

needed to gain visibility into this lateral movement within an organization.

– Prove exactly what happened and what data was exfiltrated. Many advanced threats

will not be detected until the attack is in progress, or even after it has been completed.

At this point, security teams need to be able to assess the damage by reconstructing the

attack and determining what data, if any, has left the organization, and whether it was

encrypted or not.

RSA’S APPROACH PROVIDES AN END-TO-END SECURITY MANAGEMENT APPROACH

The RSA approach to security management is based upon four key elements (see figure)

– A Big Data approach to security management. RSA’s distributed data architecture allows

customers to collect and analyze security data at an unprecedented scale and rate of

change.

page 4

RSA Solution Brief

– A unified approach to security analytics. RSA aims to provide a common set of tools for

analyzing security data, to support the major analytic activities, from alerting and

reporting to malware analytics.

– A governance layer that binds security analytics to the business. RSA’s unique portfolio

helps customers streamline the process of gathering information from the business

about critical business processes and systems, and the business requirements for

securing them.

– Threat Intelligence that empowers customers with up-to-date knowledge. RSA

distributes current, actionable intelligence about the threat environment to the

products, allowing organizations to relate the intelligence specifically to their

environments.

The RSA approach provides customers with:

Comprehensive visibility. RSA’s portfolio allows unparalleled visibility into what is

happening within the infrastructure.

– Infrastructure to support collection without limitations: the ability to collect many types

of security data, at scale and from many types of data sources

– Unified visibility into network and log data: single place to view data about advanced

threats and user activity from data gathered directly from the network or from key

systems

Agile analytics. RSA provides tools that make detailed information available to

investigators in the simplest way possible.

– Platform for performing rapid investigations: intuitive tools for investigation presented

for rapid analysis, with detailed drill down and incorporation of business context to

better inform the decision making process

– Session replay and signature free analytics: tools to hone in on the most suspicious

users and end points connected to your infrastructure and the tell-tale signs of

malicious activity. Also provides the ability to recreate and replay exactly what

happened

Actionable Intelligence. Threat intelligence provided by RSA helps security analysts get

the most value from RSA products by incorporating feeds of current threat information.

– Current threat intelligence correlated with collected data: proprietary intelligence from a

community of security experts, built into our tools and leveraged through rules, reports,

and watch lists to gain insight into threats from data collected from the enterprise

Data Collection

Full packet data collection

Investigations

Security reporting and alerting

Malware analytics

Compliance reporting & forensic analysis

logs and packets

logsLog data

collectionLong term archive

Short term archive

Archiving

Threat Intelligence

Investigations

Analytics & Reporting

RSA Security Analytics

page 5

EMC2, EMC, the EMC logo, RSA, NetWitness, and the RSA logo are registered trademarks or trademarks of EMC

Corporation in the United States and other countries. All other products or services mentioned are trademarks of their

respective companies. ©Copyright 2012 EMC Corporation. All rights reserved. Published in the USA.

h9093 impsa sb 0412

ABOUT RSA

RSA, The Security Division of EMC, is

the premier provider of security, risk

and compliance management

solutions for business acceleration.

RSA helps the world’s leading

organizations solve their most

complex and sensitive security

challenges. These challenges include

managing organizational risk,

safeguarding mobile access and

collaboration, proving compliance,

and securing virtual and cloud

environments.

Combining business-critical controls

in identity assurance, encryption &

key management, SIEM, data loss

prevention, continuous network

monitoring, and fraud protection with

industry leading eGRC capabilities

and robust consulting services, RSA

brings visibility and trust to millions of

user identities, the transactions that

they perform and the data that is

generated. for more information,

please visit

www.RSA.com and www.EMC.com.

www.rsa.com

– Prioritized actions based upon business context: incorporation of information from the

business showing the relationship between the systems involved and the business

functions they support

Optimized process management. RSA products help security teams streamline the

diverse set of activities related to preparedness and response.

– Technology and services for full security and compliance lifecycle: a workflow system to

define and activate response processes, plus tools to track current open issues, trends,

and lessons learned. Also provide industry-leading services to help prepare, detect, and

respond to incidents

– Integrated into a security and compliance management system: integration with the

RSA portfolio and third-party tools to exchange information with the wide range of tools

needed to identify and handle incidents and streaming compliance management

WHY RSA fOR SECURITY MANAGEMENT?

RSA is uniquely positioned to help customers meet their objectives in the following ways:

RSA provides a unique product portfolio to address the most critical problems of advanced

threats

– With RSA NetWitness® network monitoring, RSA has the only platform which provides

visibility into a full network session and log data from across the enterprise

– With RSA NetWitness monitoring, RSA has the only unified platform for realtime

forensics which includes automated advanced threat and zero-day malware analysis

– RSA has a proven, scalable platform providing enterprise-wide situational awareness at

seven out the fortune 10 and 70 percent of U.S. federal agencies

RSA integrates actionable, proprietary threat intelligence into our products

– RSA is a leading provider of threat research which monitors real-life underground

attacker activity

– RSA NetWitness Live research team tracks over five million IPs and domains and

hundreds of unique threat feed sources

– RSA updates and dynamically distributes its threat content library every hour through

RSA NetWitness Live

RSA addresses the people, process, and technology challenges of security and compliance

– RSA is a leading provider of services to assist with incident preparedness, plus incident

response and cleanup

– RSA has the only solution to support both IT and business aspects of managing security

through its integration with the RSA Archer eGRC platform

– RSA has the unified platform to support compliance management, security threat

management, incident management, and business continuity management