Managing Advanced Threats
by RSA SIEM, NAV, and DLP solutions
David Mateju, Senior Technology Consultant
RSA, The Security Division of EMC
2
1
Phishing emails
John receives a phishing email that was customized for
him.
3
1
Phishing emails
John receives a phishing email that was customized for
him.
4
2
Drive-by download
John clicks on the link and gets infected by Trojan
from drive-by download. John’s machine
5
Attacker gains access to a critical server
Trojan installs backdoor which allows reverse connection to infected machine
Hacker dumps password hash and gains
access to a critical server via RDP.
3
RDP
● ● ● ● ● ● ● ●
PASSWORD
John’s machine
Critical Server
6
Data ex-filtration
Attacker encrypts sensitive files found on the critical server and transfers out
via FTP
4
External Server
7
DLP detects file transfer activity (RSA Data Loss Prevention)
DLP Network detects a
transfer of encrypted file
over FTP protocol
8
Correlation alert triggered from SIEM (RSA enVision)
RSA enVision generates alert from two
correlated events
1. Successful RDP connection to
critical server
2. DLP activity on the same server
9
Incident escalation to SOC and/or GRC dashboard (RSA Archer eGRC)
• RSA enVision alerts sent to RSA Archer
via RCF
• RSA Archer links this incident with
business context and prioritize it as HIGH
priority
10
Seamless integration to NAV (RSA NetWitness)
• Instant integration from Archer Console to
NetWitness with two clicks
• SIEMLink transparently retrieves full
session detail from NextGen
11
Spectrum Automated Malware Analysis
Spectrum instantly provides detailed analysis
of the executable file in question
12
Interactive Analysis with Investigator
Context of all network activities
to/from critical server
Confirm John’s machine (192.168.100.142) as
source of RDP session
13
Interactive Analysis with Investigator
• Small executable file
• Transfer over HTTP
• Suspicious filename & extension
• Malware?!?
Drill into all network sessions from John’s machine
Suspicious domain name
RSA enVision SIEM Platform
(also for Cisco network and security
devices)
15
RSA enVision 3-in-1 SIEM Platform
servers storage applications
/ databases
security
devices
network
devices
Simplifying
Compliance
Compliance reports
for regulations and
internal policy
Auditing Reporting
Enhancing
Security
Real-time security
alerting and analysis
Forensics Alert /
correlation
Optimizing IT &
Network Operations
IT monitoring across
the infrastructure
Visibility Network
baseline
Purpose-built
database
(IPDB) RSA enVision Log Management platform
16
Simplifying Compliance Robust Alerting & Reporting
1400 reports+ included out of the box
240+ devices supported out of the box
Easily customizable
Grouped according to standards, e.g.
National Laws (SOX, Basel II, JSOX),
Industry Regulations (PCI), Best
Practices & Standards (ISO 27002, ITIL)
17
Cisco – RSA enVision Integrations
High quality integrations due to Cisco and RSA
partnership
– Sharing of roadmaps, log/event knowledge
– Optimized log/event parsing, correlation rules, and reports
20+ Cisco devices supported by RSA enVision
– Latest versions for Security, Networking, Wireless and Virtualization
products
– Cisco updates supported by RSA typically within 1 quarter of
production release
– enVision product infrastructure designed to be able to easily add
Cisco devices
18
Cisco – RSA enVision Integrations
RSA enVision - MARS integration highlights
– Capture all 100+ MARS alerts and correlate them with other
devices & applications throughout your infrastructure OR
– Send all raw logs from MARS Archives to enVision for processing
19
RSA enVision Enhances Cisco’s Security Capabilities
RSA enVision improves Cisco’s security visibility
– Correlates alerts from Cisco devices with information across other
event streams to improve protection of business critical data and
assets
– Includes event streams from applications, databases, data loss
prevention systems, physical and virtual servers, etc.
– Provides an interface to investigate issues Cisco devices identify
Logs and events from Cisco devices captured by
enVision enable numerous use cases, e.g.:
– Latest IPS reputation scoring
– Location aware access monitoring & alerting (via Cisco MSE)
– CS MARS & ASA Botnet detection
– Proactive views on Web Security Gateways
20
Use Case: Security Incident Classification (Leverages Cisco IPS reputation score)
Cisco IPS 7.0 detects
negative reputation
score signatures
RSA DLP detects information
leaving network Analyst investigates
malware outbreak
DLP tells you if
confidential data lost
as a result
Without enVision to
correlate Cisco IPS and
DLP events
• Analyst needs training
in 2 products
• No single pane of
glass to get full picture
Without DLP
• True impact of
malware infection not
known
Without Cisco IPS
• Slower detection of
malware outbreak
• More resource-
intensive investigation
DLP Network
21
Example of RSA enVision SOC Dashboard
22
RSA enVision In Action At a EMC CIRC EMC Critical Incident Response Center
23
Sample Compliance Reports PCI: Cisco router config changes; Cisco ASA top sources
24
Example ASA Reports
25
Cisco - RSA enVision Solution Benefits
Reduce security
risk
• Prioritize incidents by
correlating threats
with data sensitivity
• Identify threats more
quickly with smarter
correlation based on
location
Simplify
Compliance
• Map Cisco data (plus
other compliance-
relevant data, e.g. server
logs) back to specific
standards & regulations
• 1300+ reports out-of-
the-box
Optimize IT
Operations
• Audit security
changes, enforce
compliance
• Ease troubleshooting
via global view into
network logs / events
RSA NetWitness for Network Analysis
and Visibility (NAV)
27
Know Everything. Answer Anything.
» Why are packed or obfuscated executables being used on our systems?
» What critical threats are my Anti-Virus and IPS/IDS missing?
» I am worried about targeted malware and APTs -- how can I fingerprint and
analyze these activities in my environment?
» We need to better understand and manage the risks associated with insider
threats – I want visibility into end-user activity and to be alerted on certain types
of behavior?
» On our high value assets, how can we have certainty that our security controls
are functioning exactly as implemented?
» How can I detect new variants of Zeus, Flame, Citadel or other zero-day
malware on my network?
» We need to examine critical incidents as if we had an HD video camera
recording it all…
28
Understanding the RSA NetWitness Network Monitoring Platform
Network
traffic
Logs
Fusion of Threat Intelligence
Normalized Data, Application Layer Context
29
Automated Analysis, Reporting and Alerting
Informer • Flexible dashboard, chart and
summary displays for unified view of
threat vectors
• Automated answers to any question:
• Network Security
• Security / HR
• Legal / R&D / Compliance
• I/T Operations
• HTML, CSV and PDF report formats
included
• Supports CEF, SNMP, syslog, SMTP
data push for full integration in SIEM
30
Getting Answers to the Toughest New Questions
Interactive data-driven session
analysis of layer 2-7 content
Award-winning, patented, port
agnostic session analysis
Infinite free-form analysis paths and
content /context investigation points
Data presented as the user
experienced (Web, Voice, Files,
Emails, Chats, etc.)
Supports massive data-sets
– Instantly navigate terabytes of
data - analysis that once took
days, now takes minutes
Freeware version used by over
50,000 security experts worldwide
Investigator
31
Automated Malware Analysis and Prioritization
Spectrum • Identify the widest spectrum of
malware-based attacks • Gain insight into attacks missed by both
traditional and modern approaches to
malware protection
• Analyze attacks by utilizing a
wide spectrum of investigation
techniques • Combine four distinct investigation
techniques
• Automatically answer thousands of
questions about the behavior of files
• Increase the speed and accuracy
of investigations
32
A New Way to Look at Information
Revolutionary visual interface to
content on the network
– Extracts and interactively
presents images, files,
objects, audio, and voice
for analysis
– Supports multi-touch,
drilling, timeline and
automatic “play” browsing
– Rapid review and triage of
content
Visualize
33
Nonstop 24x7 Threat Intelligence Delivery System
Live Automate insight into advanced threats
Leverages global security community to
correlate and illuminate the most
pertinent information
Fuses intelligence with your network data
at the time of capture
Solutions to problem-sets:
– Advanced threats
– Malware
– BOTNets
– Policy/Audit
– Enterprise Monitoring
– Fraud
– User Attribution
– Risk prioritization
Prioritized and detailed reporting
34
RSA enVision SIEM Integration
35
RSA DLP Integration
SIEM Link
36