Managing Advanced Threats

by RSA SIEM, NAV, and DLP solutions

David Mateju, Senior Technology Consultant

RSA, The Security Division of EMC

david.mateju@rsa.com

2

1

Phishing emails

John receives a phishing email that was customized for

him.

3

1

Phishing emails

John receives a phishing email that was customized for

him.

4

2

Drive-by download

John clicks on the link and gets infected by Trojan

from drive-by download. John’s machine

5

Attacker gains access to a critical server

Trojan installs backdoor which allows reverse connection to infected machine

Hacker dumps password hash and gains

access to a critical server via RDP.

3

RDP

● ● ● ● ● ● ● ●

PASSWORD

John’s machine

Critical Server

6

Data ex-filtration

Attacker encrypts sensitive files found on the critical server and transfers out

via FTP

4

External Server

7

DLP detects file transfer activity (RSA Data Loss Prevention)

DLP Network detects a

transfer of encrypted file

over FTP protocol

8

Correlation alert triggered from SIEM (RSA enVision)

RSA enVision generates alert from two

correlated events

1. Successful RDP connection to

critical server

2. DLP activity on the same server

9

Incident escalation to SOC and/or GRC dashboard (RSA Archer eGRC)

• RSA enVision alerts sent to RSA Archer

via RCF

• RSA Archer links this incident with

business context and prioritize it as HIGH

priority

10

Seamless integration to NAV (RSA NetWitness)

• Instant integration from Archer Console to

NetWitness with two clicks

• SIEMLink transparently retrieves full

session detail from NextGen

11

Spectrum Automated Malware Analysis

Spectrum instantly provides detailed analysis

of the executable file in question

12

Interactive Analysis with Investigator

Context of all network activities

to/from critical server

Confirm John’s machine (192.168.100.142) as

source of RDP session

13

Interactive Analysis with Investigator

• Small executable file

• Transfer over HTTP

• Suspicious filename & extension

• Malware?!?

Drill into all network sessions from John’s machine

Suspicious domain name

RSA enVision SIEM Platform

(also for Cisco network and security

devices)

15

RSA enVision 3-in-1 SIEM Platform

servers storage applications

/ databases

security

devices

network

devices

Simplifying

Compliance

Compliance reports

for regulations and

internal policy

Auditing Reporting

Enhancing

Security

Real-time security

alerting and analysis

Forensics Alert /

correlation

Optimizing IT &

Network Operations

IT monitoring across

the infrastructure

Visibility Network

baseline

Purpose-built

database

(IPDB) RSA enVision Log Management platform

16

Simplifying Compliance Robust Alerting & Reporting

1400 reports+ included out of the box

240+ devices supported out of the box

Easily customizable

Grouped according to standards, e.g.

National Laws (SOX, Basel II, JSOX),

Industry Regulations (PCI), Best

Practices & Standards (ISO 27002, ITIL)

17

Cisco – RSA enVision Integrations

High quality integrations due to Cisco and RSA

partnership

– Sharing of roadmaps, log/event knowledge

– Optimized log/event parsing, correlation rules, and reports

20+ Cisco devices supported by RSA enVision

– Latest versions for Security, Networking, Wireless and Virtualization

products

– Cisco updates supported by RSA typically within 1 quarter of

production release

– enVision product infrastructure designed to be able to easily add

Cisco devices

18

Cisco – RSA enVision Integrations

RSA enVision - MARS integration highlights

– Capture all 100+ MARS alerts and correlate them with other

devices & applications throughout your infrastructure OR

– Send all raw logs from MARS Archives to enVision for processing

19

RSA enVision Enhances Cisco’s Security Capabilities

RSA enVision improves Cisco’s security visibility

– Correlates alerts from Cisco devices with information across other

event streams to improve protection of business critical data and

assets

– Includes event streams from applications, databases, data loss

prevention systems, physical and virtual servers, etc.

– Provides an interface to investigate issues Cisco devices identify

Logs and events from Cisco devices captured by

enVision enable numerous use cases, e.g.:

– Latest IPS reputation scoring

– Location aware access monitoring & alerting (via Cisco MSE)

– CS MARS & ASA Botnet detection

– Proactive views on Web Security Gateways

20

Use Case: Security Incident Classification (Leverages Cisco IPS reputation score)

Cisco IPS 7.0 detects

negative reputation

score signatures

RSA DLP detects information

leaving network Analyst investigates

malware outbreak

DLP tells you if

confidential data lost

as a result

Without enVision to

correlate Cisco IPS and

DLP events

• Analyst needs training

in 2 products

• No single pane of

glass to get full picture

Without DLP

• True impact of

malware infection not

known

Without Cisco IPS

• Slower detection of

malware outbreak

• More resource-

intensive investigation

DLP Network

21

Example of RSA enVision SOC Dashboard

22

RSA enVision In Action At a EMC CIRC EMC Critical Incident Response Center

23

Sample Compliance Reports PCI: Cisco router config changes; Cisco ASA top sources

24

Example ASA Reports

25

Cisco - RSA enVision Solution Benefits

Reduce security

risk

• Prioritize incidents by

correlating threats

with data sensitivity

• Identify threats more

quickly with smarter

correlation based on

location

Simplify

Compliance

• Map Cisco data (plus

other compliance-

relevant data, e.g. server

logs) back to specific

standards & regulations

• 1300+ reports out-of-

the-box

Optimize IT

Operations

• Audit security

changes, enforce

compliance

• Ease troubleshooting

via global view into

network logs / events

RSA NetWitness for Network Analysis

and Visibility (NAV)

27

Know Everything. Answer Anything.

» Why are packed or obfuscated executables being used on our systems?

» What critical threats are my Anti-Virus and IPS/IDS missing?

» I am worried about targeted malware and APTs -- how can I fingerprint and

analyze these activities in my environment?

» We need to better understand and manage the risks associated with insider

threats – I want visibility into end-user activity and to be alerted on certain types

of behavior?

» On our high value assets, how can we have certainty that our security controls

are functioning exactly as implemented?

» How can I detect new variants of Zeus, Flame, Citadel or other zero-day

malware on my network?

» We need to examine critical incidents as if we had an HD video camera

recording it all…

28

Understanding the RSA NetWitness Network Monitoring Platform

Network

traffic

Logs

Fusion of Threat Intelligence

Normalized Data, Application Layer Context

29

Automated Analysis, Reporting and Alerting

Informer • Flexible dashboard, chart and

summary displays for unified view of

threat vectors

• Automated answers to any question:

• Network Security

• Security / HR

• Legal / R&D / Compliance

• I/T Operations

• HTML, CSV and PDF report formats

included

• Supports CEF, SNMP, syslog, SMTP

data push for full integration in SIEM

30

Getting Answers to the Toughest New Questions

Interactive data-driven session

analysis of layer 2-7 content

Award-winning, patented, port

agnostic session analysis

Infinite free-form analysis paths and

content /context investigation points

Data presented as the user

experienced (Web, Voice, Files,

Emails, Chats, etc.)

Supports massive data-sets

– Instantly navigate terabytes of

data - analysis that once took

days, now takes minutes

Freeware version used by over

50,000 security experts worldwide

Investigator

31

Automated Malware Analysis and Prioritization

Spectrum • Identify the widest spectrum of

malware-based attacks • Gain insight into attacks missed by both

traditional and modern approaches to

malware protection

• Analyze attacks by utilizing a

wide spectrum of investigation

techniques • Combine four distinct investigation

techniques

• Automatically answer thousands of

questions about the behavior of files

• Increase the speed and accuracy

of investigations

32

A New Way to Look at Information

Revolutionary visual interface to

content on the network

– Extracts and interactively

presents images, files,

objects, audio, and voice

for analysis

– Supports multi-touch,

drilling, timeline and

automatic “play” browsing

– Rapid review and triage of

content

Visualize

33

Nonstop 24x7 Threat Intelligence Delivery System

Live Automate insight into advanced threats

Leverages global security community to

correlate and illuminate the most

pertinent information

Fuses intelligence with your network data

at the time of capture

Solutions to problem-sets:

– Advanced threats

– Malware

– BOTNets

– Policy/Audit

– Enterprise Monitoring

– Fraud

– User Attribution

– Risk prioritization

Prioritized and detailed reporting

34

RSA enVision SIEM Integration

35

RSA DLP Integration

SIEM Link

36