rsa netwitness® suite enablement guide · systems engineer enablement process 1. rsa netwitness...

RSA NetWitness® Suite

Enablement Guide

__________________________________

Training and Certification

Sales, Sales Engineers, and Delivery Roles

1

Contents RSA NETWITNESS SALES ENABLEMENT .................................................................................................................................. 2

Sales Learning Path (Required) ........................................................................................................................................... 2

RSA NetWitness Sales Associate Required Courses ............................................................................................................ 3

RSA NetWitness Sales Associate Optional Courses ............................................................................................................ 4

RSA NETWITNESS SYSTEMS ENGINEER ENABLEMENT ............................................................................................................ 5

Systems Engineer Learning Path ......................................................................................................................................... 5

Systems Engineer Enablement Process .............................................................................................................................. 6

RSA NetWitness Systems Engineer Associate Courses ....................................................................................................... 7

RSA NetWitness Systems Engineer Professional Courses ................................................................................................... 8

RSA NetWitness Systems Engineer Master Courses ........................................................................................................... 9

RSA NETWITNESS SUITE DELIVERY SERVICES ENABLEMENT ................................................................................................ 10

Delivery Services Learning Path ........................................................................................................................................ 10

RSA NetWitness Suite Delivery Services Enablement Proces ........................................................................................... 11

RSA NetWitness Suite Delivery Services Associate ........................................................................................................... 13

RSA NetWitness Suite Delivery Services Professional ...................................................................................................... 16

RSA NetWitness Suite Delivery Services Master ............................................................................................................... 20

2

RSA NETWITNESS SALES ENABLEMENT

Sales Learning Path (Required)

Associate

Why Partner with RSA NetWitness

Business-Driven Security and RSA NetWitness Suite

Introduction to Evolved SIEM

Problems Solved by RSA NetWitness

RSA NetWitness Suite within the Security Stack

Identifying RSA NetWitness Suite Opportunities

RSA NetWitness Suite Customer Use Cases

RSA NetWitness Suite- Evolved SIEM Sales Scenario

Securing Data in the Cloud with RSA NetWitness Suite

RSA NetWitness Endpoint Detection & Response

RSA NetWitness Endpoint Sales Scenario

RSA NetWitness Endpoint Customer Story

Winning with RSA NetWitness Suite

RSA NetWitness Suite Pricing & Packaging

Solution Frequency Series #1

3

RSA NetWitness Sales Associate Required Courses

All required and optional training can be accessed on the Partner Portal

2018-2019: RSA NetWitness Sales Associate

SALES ASSOCIATE - REQUIRED

COURSE NAME DESCRIPTION DURATION (min:sec)

Why Partner with RSA

NetWitness

Learn how partnering with RSA is beneficial and how you can be successful selling RSA

NetWitness Suite.

2:36

Business-Driven Security and

RSA NetWitness Suite

Learn what Business-Driven Security and RSA NetWiness are, how RSA NetWitness Suite fits

in to the Business-Driven Security strategy, and

6:27

Introduction to Evolved SIEM In this short video you will learn about the evolution of SIEM, SIEM goals versus the reality of

SIEM, and some SIEM organization requirements.

2:58

Problems Solved by RSA

NetWitness

Laura MacDonald, an advisory systems engineer, will tell you about RSA NetWitness capabilities

and some RSA NetWitness success stories.

4:15

RSA NetWitness Suite within the

Security Stack

Here you will learn about some important customer pain points and how RSA NetWitness fits in. 5:31

Identifying RSA NetWitness Suite

Opportunities

In this video you will get a high level overview of the RSA NetWitness platform and learn how to

position RSA NetWitness to identify opportunities.

4:33

RSA NetWitness Suite Customer

Use Cases

Amy Blackshaw addresses five things to listen for in customer meetings to position a RSA

NetWitness opportunity.

4:27

RSA NetWitness Suite- Evolved

SIEM Sales Scenario

Learn about some benefits of evolved SIEM and some discovery questions you can use to find

an RSA NetWitness opportunity. =

5:09

Securing Data in the Cloud with

RSA NetWitness Suite

Mary Roark, a principal product marketing manager, talks about RSA NetWitness discovery

questions, benefits of RSA NetWitness Suite for the cloud, and shares a customer success story.

4:28

RSA NetWitness Endpoint

Detection & Response

David D’Aprile speaks to EPP and EDR differences and how RSA NetWitness Endpoint can be

deployed and detect.

4:23

RSA NetWitness Endpoint Sales

Scenario

In this video you’ll learn some benefits of RSA NetWitness Endpoint, some target customers,

and customers’ pains and challenges to look out for.

3:57


Customer Story

This video tells a customer success story. 1:53

Winning with RSA NetWitness

Suite

This video will tell you about some unique differentiators of RSA NetWitness, why taxonomy is

critical, and some advanced analytics.

3:33

RSA NetWitness Suite Pricing &

Packaging

Learn about the new pricing approach and licensing details of RSA NetWitness. 1:31

Solution Frequency Series #1 Joe answers some questions that he gets out in the field. 8:19

Estimated Total Time:

51:12 Minutes

4

RSA NetWitness Sales Associate Optional Courses

All required and optional training can be accessed on the Partner Portal

2018-2019: RSA NetWitness Sales Associate

SALES ASSOCIATE - OPTIONAL

COURSE NAME DESCRIPTION DURATION (min:sec)

RSA NetWitness Suite Customer

Testimonials

Listen to some customer testimonials from Adobe, Bershire Bank, and KMD. 4:46

Estimated Total Time: 4:46 Minutes

5

RSA NETWITNESS SYSTEMS ENGINEER ENABLEMENT

Systems Engineer Learning Path

Associate

RSA NetWitness Logs and Packets Overview

Business Driven Security Whiteboard

RSA NetWitness Packets Augmented SIEM Sales Scenario

RSA NetWitness Logs and Packets Architecture Whiteboard

RSA NetWitness EndPoint Architecture Whiteboard

RSA NetWitness Suite Foundations - EndPoint

RSA NetWitness Suite - EndPoint “Set the Hook” demo

Event Analysis Overview

Exploring the User Interface

Professional

RSA NetWitness Suite - Logs and Packets -Leveraging Core Service Features

RSA NetWitness Suite - Context Hub Re-Engineering

RSA NetWitness Suite - EndPoint Integration

RSA NetWitness Suite - Logs and Packets - Parsers Overview

RSA NetWitness Suite - EndPoint Analysis

RSA NetWitness Suite - EndPoint - YARA Rules Basics

RSA NetWitness Suite - Logs - Event Source Discovery

RSA NetWitness Suite - NetWitness EndPoint Use Case Demo

Master

RSA NetWitness Suite - Upgrading RSA NetWitness

RSA NetWitness Suite - Custom Demo Tips & Tricks

RSA NetWitness Suite - Logs and Packets - Hunting Pack Overview

RSA NetWitness Suite - Hunting APTs with RSA NetWitness

RSA NetWitness Suite - Logs and Packets - SSL Features

RSA NetWitness Suite - RSA NetWitness and the Cloud

RSA NetWitness Suite - Packets - Lua Parsers Overview

6

Systems Engineer Enablement Process

1. RSA NETWITNESS SYSTEMS ENGINEER ASSOCIATE COURSES

Complete Associate Level Required Training. This training will provide you with the foundational understanding of the Network

visibility and Endpoint Platforms and specifically the RSA NetWitness Logs and Packets/Endpoint Products. You will also be

exposed to the focus domains, selling and positioning the domains for your customers.

2. RSA NETWITNESS SYSTEMS ENGINEER PROFESSIONAL COURSES

Practice and prepare for NetWitness Logs and Packets/Endpoint configurations, Incident Management and Use Case

Scenarios. These areas are essential to understanding and delivering NetWitness Logs and Packets/Endpoint Solutions to

your customers.

3. RSA NETWITNESS SYSTEMS ENGINEER MASTER COURSES AND MENTORING

Once Steps 1 & 2 are successfully completed, RSA NetWitness Logs and Packets/Endpoint Practice resource(s) will be

available to review your ability to conduct full RSA NetWitness Logs and Packets/Endpoint Solution demos and pre-sales

based conversations. They will be able to provide mentoring. Mentoring can include, but is not limited ad hoc activities such

as SME support for specific solutions, SME support for technical issues, and overall project guidance.

7

RSA NetWitness Systems Engineer Associate Courses

All required and recommended training can be accessed on the Partner Portal

2018-2019 RSA NetWitness Systems Engineer ASSOCIATE

ASSOCIATE – REQUIRED

COURSE NAME DESCRIPTION DURATION

(Hours)

RSA NetWitness Suite - Logs and

Packets - Overview

This video demonstrates the re-designed RSA NetWitness Logs and Packets user interface. After

watching this video, an SE should be able to demonstrate the capabilities of RSA NetWitness Logs

and Packets.

:10

Business Driven Security

Whiteboard

This video will explain the RSA Business Driven Security strategy, and how to correlate it to

customer’s needs.

:15

RSA NetWitness Suite – Logs and

Packets – Augmented SIEM Sales

Scenario

This video will explain why implementing RSA NetWitness Packets on top of an existing log

centric SIEM is necessary in customer’s security operations centers. After viewing this video, an

SE should be able to explain how to leverage RSA NetWitness Packets to enrich and aid

investigations.

:05

RSA NetWitness Suite - Logs and

Packets Architecture Whiteboard

This video will provide a logical view of the RSA NetWitness Logs and Packets architecture. After

watching this video, an SE should be able to explain the architectural components of RSA

NetWitness Logs and Packets, what functions they perform, and how they communicate with

each other.

:10

RSA NetWitness Suite - Endpoint

Architecture Whiteboard

This video will provide a logical view of the RSA NetWitness Endpoint architecture. After watching

this video, SE’s should be able to explain what the architectural components of RSA NetWitness

Endpoint are, what functions they perform, and how they communicate with each other.

:05

RSA NetWitness Suite – Endpoint

Foundations

This video will provide a thorough overview of RSA NetWitness Endpoint. After viewing this

video, SE’s should be able to explain how RSA NetWitness Endpoint monitors network endpoints

and assesses risk. SE’s should also be able to navigate the RSA NetWitness Endpoint user

interface.

:20

RSA NetWitness Suite - Endpoint

“Set the Hook” demo

This video shows the basic demonstration of the RSA NetWitness Suite: Endpoint. An SE should

be able to do this demo very quickly for any initial customer visit.

:12


Packets – Event Analysis Overview

This video will provide an overview of the newly re-designed event analysis capability of RSA

NetWitness Logs and Packets. After watching this video, an SE should be able to demonstrate

the functionality of event analysis including, analyzing raw packet data, identifying requests and

responses, and decoding selected text.

:06


Packets – Exploring the User

Interface

This video series will provide a through overview of the RSA NetWitness Logs and Packets user

interface. After watching this video, an SE should be able to navigate RSA NetWitness Logs and

Packets and demonstrate the capability of the different views in RSA NetWitness Logs and

Packets.

:10

Estimated Total Time: 1.5 hours

8

RSA NetWitness Systems Engineer Professional Courses


2018-2019 RSA NetWitness Systems Engineer PROFESSIONAL

PROFESSIONAL – REQUIRED


(Hours)


Packets – Leveraging Core Service

Features

This video will describe the new features of the core services of RSA NetWitness Logs and Packets.

After viewing this video, SE’s should be able to describe each core service, the functions they

perform, and how new features can aid in threat detection and response.

:25


Packets – Context Hub Re-

Engineering

This video will provide an overview of the RSA NetWitness Logs and Packets Context Hub. After

viewing this video, SE’s should be able to explain and demonstrate how to navigate to the Context

Hub, the different views of the Context Hub, and how the Context Hub can further enrich

investigations.

:05


Integration

This video will detail how to integrate RSA NetWitness Endpoint with an existing RSA NetWitness

Logs and Packets implementation. After watching this video, SE’s will be able to demonstrate the

integration and how the two RSA NetWitness products work together to enrich investigations.

:10


Packets – Parsers Overview

This video will show the RSA NetWitness Logs and Packets log data flow, describe the role of

parsers in RSA NetWitness Logs and Packets and the process used to create and deploy log

parsers.

:15


Analysis

This video will show how to schedule scans using machine groups, interpret scan results based on

Module and Machine context and consider advanced threats employing key Windows executables

and processes.

:30

RSA NetWitness Suite – Endpoint-

Yara Rules Overview

This video explains YARA rules. Their purpose and mechanics. Then you can see how to check

status, create and modify rules. And learn about Yara Rule Sources and extracting signatures from

Trojans.

:05


Packets – Event Source Discovery

This video will provide an overview of the event source discovery capabilities of RSA NetWitness

Logs. After viewing this video, an SE should be able to explain how event sources are defined in

RSA NetWitness.

:05


9

RSA NetWitness Systems Engineer Master Courses


2018-2019 RSA Witness Systems Engineer MASTER

MASTER – REQUIRED


(Hours)

RSA NetWitness Suite – Upgrading

RSA NetWitness

This video will demonstrate the proper way of upgrading the RSA NetWitness Suite to newer

versions. After viewing this video, SE’s should be able to explain how to upgrade to newer

versions, demonstrate the upgrade process, and offer best practices to customers wanting to

upgrade.

:30

RSA NetWitness Suite – Preparing

for a Custom Demonstration This video will provide helpful tips when preparing for a custom demonstration for a customer.

:05


Packets – Hunting Pack Overview

This video will review and demonstrate the power of the RSA NetWitness Hunting Pack,

available for download from RSA Live. After watching this video, SE’s should be able to explain

the methodology behind hunting for threats, and demonstrate the effectiveness of the RSA

NetWitness Hunting Pack.

:20

RSA NetWitness Suite – Hunting

APTs with the RSA NetWitness Suite

This video will replicate a cyber-attack from beginning to end, and demonstrate how the RSA

NetWitness Suite enables threat detection and response.

:20

RSA NetWitness Suite – RSA

NetWitness Suite and the Cloud

This video will review how the RSA NetWitness Suite can help identify threats in customer’s

cloud deployments. After viewing this video, SE’s will be able to explain how the RSA

NetWitness Suite ingests logs and packets from various cloud deployments in a customer’s

environment.

:10


Packets – SSL Features

This video will review how the RSA NetWitness Suite handles the blind spot encrypted traffic

causes in customer’s environments. After watching this video, SE’s will be able to demonstrate

how RSA NetWitness can decrypt and enrich incoming traffic.

:10

RSA NetWitness Suite Packets – Lua

Parsers Overview

This video will review Lua Parsers in depth. After viewing this video, SE’s will be able to explain

how Lua Parsers work, their primary function, and begin to demonstrate the creation of custom

Lua Parsers.

:10


10

RSA NETWITNESS SUITE DELIVERY SERVICES ENABLEMENT

Delivery Services Learning Path

Associate

NetWitness Logs and Packets Introduction

Delivery Methodology

Foundations

Core Administration

Incident Management

Intro to ESA

Installation and Configuration

Troubleshooting Methodology Framework

NetWitness Logs and Packets Introduction to Troubleshooting

Endpoint Foundations

NetWitness EndpointAdministration

Selling and Scoping NetWitness Services

Endpoint Fundamentals

Endpoint Installation

Busines-Driven Security

How to Sell NetWitness Training

SecOps Manager Essentials

SecOps Manager Installation

Professional

NetWitness Logs and Packets Event Sources

NetWitness Logs and Packets Log Parsers Overview

NetWitness Logs and Packets ESA EPL Rules

NetWitness Logs and Packets Malware Analysis

NetWitness Logs and Packets Hunting

NetWitness Logs and Packets 10G Interface Installation

NetWitness Logs and Packets Analysis

NetWitness Logs and Packets Troubleshoooting User Roles

NetWitness Context Hub Deep Dive and Troubleshooting Tips

NetWitness Logs and Packets Troubleshooting ESA EPL Rules

NetWitness Logs and Packets Troubleshooting the Platform

NetWitness Logs and Packets Troubleshooting Upgrades

NetWitness Endpoint Analysis

NetWitness Endpoint Hunting

NetWitness Endpoint Troubleshooting

RSA SecOps Manager Implementation

Netwitness Logs and Packet Tuning and Optimization

Netwitness Endpoint Writing Yara Rules

Master

NetWitness Logs and Packets WinRM Configuration and

Troubleshooting

Hunting Workshop for Analysts

NeWitness Logs and Packets LUA Parsers

NetWitness Logs and Packets Integration with RSA NetWitness

Endpoint

NetWitness Logs and Packets REST API

NetWitness Packets and Splunk Integration

Netwitness LUA Parsers for Logs

NetWitness Logs and Packets Tuning and Optoimization

On-Demand Lab

On-Demand Classroom

On-Demand Learning

11

RSA NetWitness Suite Delivery Services Enablement Process

Remove the Master Certification from the slide.

1. Complete the RSA NetWitness Associate REQUIRED training

See information that follows for a complete list of all Associate- level training. Note that Optional training is highly recommended as it

will address new product releases and other topics that are important for successful delivery services engagements.

2. Pass the RSA NetWitness Endpoint Certified Associate Exam

The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Associate path. The time

allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Endpoint Certified

Associate certification. Refer to the “Certification” section of this guide for additional information on how to register and complete the

RSA NetWitness Endpoint Certified Associate exam. You have 2 attempts to attain a score of 70 or higher. If you do not pass the

Associate exam, next steps will be determined by your Channel Manager.

3. Pass the RSA NetWitness Logs and Packets Certified Associate Exam

The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Associate path. The time

allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Logs and Packets

Certified Associate certification. Refer to the “Certification” section of this guide for additional information on how to register and

complete the RSA NetWitness Logs and Packets Certified Associate exam. You have 2 attempts to attain a score of 70 or higher. If

you do not pass the Associate exam, next steps will be determined by your Channel Manager.

4. Complete the RSA NetWitness Professional REQUIRED training

See information that follows for a complete list of all Professional- level training. Note that Optional training is highly recommended as

it will address new product releases and other topics that are important for successful delivery services engagements.

Master

12

5. Pass the RSA NetWitness Endpoint Certified Professional Exam

The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Professional path. The

time allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Endpoint Certified

Professional certification. Refer to the “Certification” section of this guide for additional information on how to register and complete

the RSA NetWitness Endpoint Certified Professional exam. You have 2 attempts to attain a score of 70 or higher. If you do not pass

the Professional exam, next steps will be determined by your Channel Manager. Note that you cannot complete the RSA NetWitness

Endpoint Certified Professional exam without successfully passing the RSA NetWitness Endpoint Certified Associate exam.

6. Pass the RSA NetWitness Logs and Packets Certified Professional Exam

The exam, which is available through Pearson VUE Testing Centers, will test on the required training in the Professional path. The

time allocated to complete this exam is 90 minutes. Once you pass this exam, you will attain the RSA NetWitness Logs and Packets

Certified Professional certification. Refer to the “Certification” section of this guide for additional information on how to register and

complete the RSA NetWitness Logs and Packets Certified Professional exam. You have 2 attempts to attain a score of 70 or higher.

If you do not pass the Professional exam, next steps will be determined by your Channel Manager. Note that you cannot complete

the RSA NetWitness Logs and Packets Certified Professional exam without successfully passing the RSA NetWitness Logs and

Packets Certified Associate exam.

7. Complete the RSA NetWitness Master REQUIRED training

See information that follows for a complete list of all Professional- level training. Note that Optional training is highly recommended as

it will address new product releases and other topics that are important for successful delivery services engagements.

8. Participate in RSA NetWitness Shadow/Reverse Shadow with RSA NetWitness Professional Services

Participate in Shadow/Reverse Shadow with the RSA Delivery Team for 6 weeks. Delivery includes working side-by-side

with RSA Practice members to deliver customer projects. Reverse shadowing will include all phases of the delivery

methodology with a strong focus on achieving a positive impact on customer satisfaction.

9. Successfully complete the Performance Testing by RSA Archer Professional Services

After successfully demonstrating capability to delivery Archer Services in an effective manner while also achieving a high-level of

customer satisfaction, final evaluation will be administered. Upon a successful evaluation, you will receive accreditation

to perform RSA NetWitness Delivery Services.

13

RSA NetWitness Suite Delivery Services Associate All required and recommended training can be accessed on the Partner Portal

2018- 2019 RSA NetWitness Delivery Services Associate

ASSOCIATE – REQUIRED

COURSE NAME

DESCRIPTION

DURATION (hours)

RSA NetWitness Logs and

Packets Introduction

This on-demand learning provides an introduction to the RSA NetWitness Logs and Packets product,

along with the components and different appliances that make up an RSA NetWitness Logs and

Packets implementation. You will first familiarize yourself with the RSA NetWitness Logs and Packets

product, its functionality, and different customer implementations. You will then review the architecture

and various components of RSA NetWitness Logs and Packets. Finally, you will examine the way data

flows throughout an RSA NetWitness Logs and Packets implementation.

1

RSA Service Delivery

Methodology Overview

A self-paced eLearning course is primarily designed for new hires, at both Consultant and Project

Management level. It is intended to provide an overview of the RSA PS Delivery Methodology,

including the Service Delivery Framework.

.5


Packets Foundations

Provides a foundational overview of the core components of RSA NetWitness Logs and Packets.

Students gain insight into the core concepts, uses, functions and features of RSA NetWitness Logs

and Packets and also gain practical experience by performing a series of hands-on labs.

24


Packets Core Administration

Provides an overview of essential administrative tasks that are performed for RSA NetWitness Logs

and Packets. Students gain insight into Configuring Devices, Monitoring and User Management within

RSA NetWitness Logs and Packets and also gain practical experience by performing a series of hands-

on labs.

16


Packets Incident Management

Covers the roles and processes within a typical Security Operations Center (SOC), including the

typical responsibilities of a Level 1, 2, and 3 Analyst, and the process for triaging and escalating

incidents. Through a series of video demonstrations, you will experience a day in the life of the analysts

using the Incident Management module in RSA NetWitness Logs and Packets. You will follow an

incident from discovery through close and examine how analysts at varying levels triage and

investigate incidents.

1.5


Packets Introduction to ESA

Presents a recommended approach to threat analysis and identifies the role of Event Stream Analysis

(ESA) in detecting threats. It provides an overview of ESA features and functions, provides

recommendations to help you determine when to use ESA rules and covers configuration

considerations.

.75


Packets Installation and

Configuration

Walks you through the process of installing RSA NetWitness Logs and Packets. Through a series of

videos, you will first review the hardware components of a NetWitness Logs and Packets

implementation. You will then walk through how to install the various services, including: the Server,

Decoders, the Concentrator, and Broker. You will then be shown how to configure the services and

connect them together to allow data to flow through the system. After confirming data is flowing through

the system, you will review the steps to check the health and wellness of the system. Lab exercises

provide you with the ability to practice what you have learned. To maximize the value of your learning

experience, this course also includes access to RSA University’s virtual environment.

2

14

RSA Troubleshooting

Methodology Framework

Provides a general overview of the RSA Troubleshooting Methodology Framework that MSSP

Consultants and CS Learners can apply and follow to ensure better customer experiences. The course

is intended to be an ‘Introduction/Prerequisite’ before learners move on to Troubleshooting

Methodology Framework specific to RSA NetWitness Logs and Packets and RSA NetWitness

Endpoint.

.5


Packets Introduction to

Troubleshooting

Improves your understanding of how to troubleshoot RSA NetWitness Logs and Packets 10.4.

Through a series of interactions and “just-show-me” video demonstrations, this course will

answer common questions about troubleshooting RSA’s NetWitness Logs and Packets and provide

you with the concepts needed to begin troubleshooting on your own. The content is specific to

NetWitness Logs and Packets version 10.4. However, there is a lot of commonality between versions

and some of the things that you learn may be used to troubleshoot older or newer versions of

NetWitness Logs and Packets. Please keep this in mind as you proceed because there may well be

variances based on the version

2.5


Foundations

Provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both

lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course

consists of about 50% hands-on lab work, using a virtual lab environment.

8


Administration

This training is intended for anyone responsible for maintaining a deployment of RSA NetWitness

Endpoint. The eLearning and on-demand lab provide instruction and practice in the core

responsibilities of any RSA NetWitness Endpoint Administrator, including management of scans,

notifications, and global parameters. Additional topics include machine and user group creation and

assignment, endpoint agent roll-outs, performance and usability evaluation, endpoint memory capture

for troubleshooting, and upgrade enablement. The lab exercises focus on practicing these common

real-world tasks. Approximately 60 minutes of coursework with 30 minutes lab exercises in virtual

environment.

1.5

Selling & Scoping NetWitness

Suite Services

Provides a comprehensive overview for Selling and Scoping NetWitness Suite (formally) ASOC

Solutions, both from a Professional Services (PS) and an Ed Services (ES) perspective. The training

content takes a modular approach.

1


Fundamentals

Provides a general introduction to RSA NetWitness Endpoint analysis. Students will participate in both

lecture and hands-on experience using the RSA NetWitness Endpoint Analytics tool. The course

consists of about 50% hands-on lab work, using a virtual lab environment.

1.25


Installation

Walks through the prerequisites and tasks associated with planning and executing an RSA NetWitness

Endpoint installation. Topics include deployment architecture options, best practices for avoiding

common installation pitfalls, functional tests to ensure the installation was successful, and video

demonstrations to reinforce the material.

4

RSA Business Driven Security RSA Archer Product Marketing Manager delivers a video discussing how RSA can help

organizations deliver what we call Business-Driven Security. With its new Business-Driven Security

architecture, RSA aims to provide organizations the tools needed to link security information to

business context and protect the most sensitive assets. The RSA Business-Driven Security

solutions focus on threat detection and response, consumer fraud protection, identity and access

assurance, and business risk management.

.25

: Estimated Total Time: 65 hours

15

2018 – 2019 RSA NetWitness Suite Delivery Services Associate

ASSOCIATE – OPTIONAL

COURSE NAME

DESCRIPTION

DURATION (hours)

RSA SecOps Manager

Essentials

Provides practitioner-level training on the business need for managing security operations and the

business impact of the RSA Archer Security Operations Management (SecOps) solution and its basic

functionality. Content provides a basic understanding of the challenges of managing IT security

operations, and describes how SecOps is positioned to address those challenges. Students will learn

about the basic functionality of SecOps – from managing a Security Operations Center (SOC) to managing

incident response and data-breach response – and will learn how the SecOps solution enables

organizations to manage the entire lifecycle with integrated business context and best practices aligned

with industry standards. This course introduces the key personas involved in security operations

management, as well as presenting typical security operations management workflows and describes how

various roles have full visibility into the entire process lifecycle with focused workflows, dashboards, and

reports.

1.5

RSA SecOps Manager

Installation

Is intended for any Consultants responsible for installing the RSA NetWitness SecOps Manager

Installation Solution. This course addresses fundamental concepts, knowledge, and tasks required to

install and perform base-level configuration of SecOps to an initial state. Content include integration with

required middleware, and configuring integration between SecOps and RSA Security Analytics.

5

Estimated Total Time: 2 Hours

16

RSA NetWitness Suite Delivery Services Professional All required and recommended training can be accessed on the Partner Portal

2018- 2019 RSA NetWitness Delivery Services Professional

PROFESSIONAL – REQUIRED

COURSE NAME

DESCRIPTION

DURATION (hours)


Packets Event Sources

Provides an overview of how RSA NetWitness Logs and Packets log collection is configured and

performed for a variety of event source types such as Windows, File Reader, ODBC, Check Point

Firewall, VMware, SDEE, SNMP and Netflow.

2

RSA NetWitness Logs Parser

Overview

Provides students with the knowledge and skills to create and deploy log parsers for use within RSA

NetWitness Logs. Students will be introduced to reviewing the metadata framework, creating log parsers

using the RSA Event Source Integrator (ESI) tool, and deploying log parsers within RSA

NetWitness Logs.

2


Packets ESA EPL Rules

Identifies a best practice strategy for creating EPL rules as well as for learning the EPL rule syntax. It

uses examples and use cases to illustrate EPL rule concepts, such as streams, constructs, data

windows and time constraints.

1.5

RSA NetWitness Packets

Malware Analysis

Provides students with training on the Malware Analysis module of RSA NetWitness Packets. Topics

include an overview of the Malware Analysis module, configuration steps, and conducting an

investigation. Lab exercises provide students with the ability to practice what they have learned. To

maximize the value of your learning experience, this course also includes access to RSA University’s

virtual environment.

4


Packets Hunting

Presents methods and techniques prescribed by security experts for quickly locating anomalies on the

network and for enhancing the data set to highlight suspicious activity. It provides recommended

strategies and processes for searching for threats, along with demonstrations of those techniques

against a laboratory dataset.

1.5

RSA Netwitness Logs and

Packets 10G Interface

Installation

Demonstrates the installation and configuration processes for a 10Gb capture interface card on the RSA

NetWitness Packet Decoder. The RSA NetWitness Packet Decoder can capture data at very high

speeds with the addition of a 10Gb network interface card. This on-demand learning describes the card

installation options, demonstrates the physical installation process, and then demonstrates the software

configuration required to capture data at 10Gb speeds..

1.5


Packets Analysis

Provides hands-on experience using the RSA NetWitness Logs and Packets tool to identify, investigate

and remediate network-based security breaches on your enterprise network. The course consists of

about 75% hands-on lab work, following practical use cases from the identification and investigation

stages through event reconstruction, damage assessment, and remediation.

16


Packets Troubleshooting Use

Roles

This on-demand learning focuses on the RSA NetWitness trust model and how users, roles, and

permissions control user access to the RSA NetWitness Logs and Packets environment. Use cases will

be provided to demonstrate incorrect role configuration, symptoms, and fixes to correct the role.

.5

RSA NetWitness Context Hub

Deep Dive and

Troubleshooting Tips

Presents an overview of the RSA NetWitness Logs and Packets Context Hub service. Topics include

how to properly configure it for various data sources, how it works under the hood, and tips and tricks

for troubleshooting. The concept behind this eLearning is to educate students on the proper way to work

with the Context Hub, thus eliminating the need to do a lot of troubleshooting in the future. This course

is primarily intended for NetWitness Administrators but will provide insight to Analysts as well.

3

17

COURSE NAME

DESCRIPTION

DURATION (hours)


Packets Troubleshooting ESA

EPL Rules

Improves your understanding of how to troubleshoot RSA Netwitness Logs and Packets Event Stream

Analysis (ESA) rules. While troubleshooting ESA in general is an important skill, the #1 issue in the field

is troubleshooting ESA rules in particular. With "just show me" videos, this course addresses the most

common reasons that rules don't work. It first discusses ways to determine whether or not it is a "rule

issue." It outlines the most common “rule issues" and provides approaches to resolving them. The

course continues with tips, tricks, and tools for troubleshooting rules and general strategies for working

with rules. It also will help you avoid some common "Gotchas." The content is designed for

troubleshooting the 10.x versions of the product.

1.5


Packets Troubleshooting the

Platform

Improves your understanding of troubleshooting the RSA Security Analytics platform found in 10.4 and

above. Through a series of “just-show-me” video demonstrations, this course will address the most

common platform issues and will provide you with the tools you need to better isolate issues. The

content is specific to Security Analytics version 10.4. However, there is a lot of commonality between

versions and some of the things that you learn may be used to troubleshoot older or newer versions of

Security Analytics. Please keep this in mind as you proceed because there may well be variances based

on the version. The course begins by discussing how to reduce Puppet issues and then spells out

specific commands that you can use to validate when things are running correctly and narrow down

issues with Puppet, MCollective, RabbitMQ, and Collectd.

2.5


Packets Troubleshooting

Upgrades

Describes how to upgrade RSA NetWitness Logs and Packets software. In the process of demonstrating

upgrades, troubleshooting techniques and possible upgrade issues are identified.

1


Analysis

Provides core essentials training for security analysts employing RSA NetWitness Endpoint. Students

participate in an interactive lecture format and put into practice what they learn in instructor-assisted

hands-on lab work in a simulated deployment.

16


Hunting

Presents techniques prescribed by security analysts for employing RSA NetWitness Endpoint to locate

sophisticated targeted attacks. Finding known malware and obviously malicious behavior is easy with

this tool’s Instant Indicators of Compromise, but sophisticated intrusions can be far more challenging.

Indicators of specific exploits and threats, such as common keylogging techniques, are detailed.

2


Troubleshooting

Examines common troubleshooting issues customers face in RSA NetWitness Endpoint

implementations. You will first be presented with a common troubleshooting methodology framework in

the context of RSA NetWitness Endpoint. Then, you will examine a number of common customer use

cases where you will identify the root cause of the issue, and remediate the problem.

2

RSA SecOps Manager

Implementation

Addresses the implementation and operationalization of the RSA NetWitness SecOps Manager

Implementation. The course focuses on the primary tasks to implement and integrate SecOps with

Enterprise Management and Security Analytics into a security solution. Course content includes an

overview of how SecOps integration works, the importance of requirements identified in a statement

of work and ACD design document, implementation roles and responsibilities, and the primary tasks

to implement SecOps. The course includes a series of videos demonstrating the key implementation

tasks. Lab exercises provide students with the ability to practice what they have learned. To

maximize the value of your learning experience, this course also includes access to RSA University’s

virtual environment.

4

18


Packets Tuning and

Optimization

Covers RSA NetWitness Logs and Packets performance tuning and optimization topics, allowing

analysts to improve performance through query optimization and efficient rule syntax. Students will

also gain administrative skills to optimize performance through proper device configuration, database

tuning, creating groups for aggregation and monitoring Health and Wellness alerts.

4


19

PROFESSIONAL OPTIONAL

COURSE NAME

DESCRIPTION

DURATION (hours)


Writing Yara Rules

Provides an introduction to writing rules for RSA NetWitness Endpoint using YARA. Students will gain

familiarity with the YARA tool's syntax and functionality to write rules that optimize flexibility and

minimize false positives.

.75

Estimated Total Time: .75 Hours

20

RSA NetWitness Suite Delivery Services Master All required and recommended training can be accessed on the Partner Portal

2018- 2019 RSA NetWitness Delivery Services Master

MASTER – REQUIRED

COURSE NAME

DESCRIPTION

DURATION (hours)

RSA NetWitness Logs and Packets

WinRM Configuration and

Troubleshooting

Provides students with training on a tool to assist in both configuring and

troubleshooting WinRM event sources for RSA NetWitness Logs using an automated

script. Students will also receive an overview of the Kerberos authentication protocol.

2

RSA Hunting Workshop for Analysts Presents students with the opportunity to perform a realistic forensic security analysis

in a hands-on environment working with RSA NetWitness Logs and Packets and

RSA NetWitness Endpoint. Students will be provided with a complex, multipart

cyberattack use case to work through, and will be tasked with finding key evidence

about the attack, identifying targeted and compromised systems, reconstructing the

sequence of events, and proposing a remediation plan. Students will be given a

minimum amount of introductory information, and will conduct their analyses using

their knowledge of networking protocols, endpoint operating systems, and common

cyberattack vectors. An instructor will be present to guide students individually as

they work their way through the data set.

16

RSA NetWitness Logs and Packets LUA

Parsers

Will serve as an introduction to RSA NetWitness LUA Packet Parsers. It is suitable

for the RSA NetWitness Analysts and Administrators interested in better

understanding how packet parsers work and becoming familiar with the process of

writing their own custom packet parser.

1.5


Integration with NetWitness Endpoint

Describes how to integrate RSA NetWitness Logs and Packets and RSA NetWitness

Endpoint to perform investigations using both tools. It covers various forms of

integration including syslog, Live feeds, recurring feed and Incident Management

(message bus).

1

RSA NetWitness Using the REST API Will explore the different ways to access key metrics, controls, and metadata within

RSA NetWitness Logs and Packets. It begins by reviewing how RSA has

implemented the REST API and reasons for its use. Then, through a series of

demonstrations, it shows Administrators, Developers, and security team members

how to "get," "set," and use data from the back-end of the RSA NetWitness product in

a programmatic fashion. Different access methods such as use of the NetWitness

GUI, the REST GUI, CLI use of curl, and automated uses within tutorial scripts are

presented and compared. The course even provides a sample Python script that you

can extend for your own use. Lab exercises walk you through "real life" examples of

REST API's use and give you the foundations to begin your own research and use of

this powerful tool.

3

RSA NetWitness Packets and Splunk

Integration

Provides students with the knowledge and skills to configure Splunk® Enterprise and

RSA NetWitness Packets to view security logs in Splunk, view Splunk metatdata in

RSA NetWitness Packets, link to Splunk data through a context menu, send logs to

Splunk via an ESA alert, and send Reporting Engine logs to Splunk.

1.5


21

RSA NetWitness Suite Delivery Services Master All required and recommended training can be accessed on the Partner Portal

2018- 2019 RSA NetWitness Delivery Services Master

MASTER – OPTIONAL

COURSE NAME

DESCRIPTION

DURATION (hours)

RSA NetWitness LUA Parsers for Logs Will provide students with an overview of creating custom log parsers for RSA

NetWitness using Lua. Students will cover topics such as when to use a custom

parsers, the components of a Lua parser, how to create the Lua parser for logs and

basic troubleshooting.

1

RSA NetWitness Packets and Splunk

Integration

Provides students with the knowledge and skills to configure Splunk® Enterprise and

RSA NetWitness Packets to view security logs in Splunk, view Splunk metatdata in

RSA NetWitness Packets, link to Splunk data through a context menu, send logs to

Splunk via an ESA alert, and send Reporting Engine logs to Splunk.

1.5


Tuning and Optimization

Covers RSA NetWitness Logs and Packets performance tuning and optimization

topics, allowing analysts to improve performance through query optimization and

efficient rule syntax. Students will also gain administrative skills to optimize

performance through proper device configuration, database tuning, creating groups

for aggregation and monitoring Health and Wellness alerts.

4

Estimated Total Time: 6.5 Hours

rsa netwitness® suite enablement guide · systems engineer enablement process 1. rsa netwitness...

Documents