Gigamon Visibility Platform and RSA NetWitness for Amazon AWS
The purpose of the AWS test drive environment is to quickly and easily explore the benefits and features of the Gigamon Visibility Platform and RSA NetWitness integration within AWS.
This test drive is focused on demonstrating how Gigamon Visibility Platform and RSA NetWitness for Amazon Web Services (AWS) provides consistent visibility into data-in-motion across the entire enterprise: on-premise, remote sites, private, hybrid, and public clouds.
Introduction to RSA NetWitness
Security teams need to evolve to stay in front of attackers and the latest threats, but in recent years this has become much more difficult. Attackers continue to advance and use sophisticated techniques to infiltrate organizations which no longer have well defined perimeters. Attackers spend significant resources performing reconnaissance to learn about organizations and develop techniques specifically designed to bypass the security tools being used.
The sophistication of threat actors and the expanding attack surface make it nearly impossible for security teams to discover and understand compromises quickly enough to respond before they impact the business.
RSA NetWitness Logs and Packets provides pervasive visibility with advanced analytics - including real-time behavior analytics - to detect and investigate sophisticated attacks.
RSA NetWitness Logs and Packets captures and enriches full network packet data alongside other data types, such as logs, NetFlow and endpoint. RSA NetWitness Logs and Packets captures full network packets, which means an attack can be reconstructed to fully understand the full scope of the attack and in turn implement an effective remediation plan to stop the attacker from achieving their objective.
Within AWS, the following components are configured to provide enough infrastructure to complete this test drive:
Component Description NetWitness Server (Action) Hosts Reporting, Investigation,
Administration, Respond and other aspects of the user interface.
Packet Decoder (Visibility) The packet data is collected using a host called Decoder. The Decoder captures, parses, and reconstructs all network traffic from Layers 2 to 7.
Concentrator (Analysis) The Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting.
Overview of AWS Architecture
RSA NetWitness for AWS supports two deployment modes—Hybrid and Public Cloud.
Gigamon Visibility Platform and RSA NetWitness Test Drive Use Cases
The test drive environment helps you focus on the tasks defined in the following:
Creating Traffic-Specific Flow Maps
Create multiple flow maps to send specific traffic to the RSA NetWitness Investigation tool. You can also add GigaSMART applications to your flow maps to reduce the traffic flowing to the tools present outside the applications VPC.
Hunting for Suspicious Activity
Use the RSA NetWitness Investigation tool to hunt for suspicious activity.
For more information about Gigamon’s AWS Visibility Platform, visit https:// www.gigamon.com/products/public-cloud-aws.
NOTE: For the purposes of this test drive, enter all the aliases exactly as instructed in the procedures. Follow the steps exactly in the same order as instructed in this document.
This section describes how to create flow maps and connect them to the RSA NetWitness Investigation tool.
1. Click the Fabric Manager link in the email that you received after signing up for the test drive. Click Advanced > Proceed to fabric-manager link in the warning screen.
2. Login to GigaVUE-FM with the username and password provided in the email.
3. Click See EULA, and then scroll down to accept the terms. Click OK.
4. Click AWS on the left navigation pane.
5. In the Monitoring Sessions page, select TestDriveDemo and click Edit.
9. Click Deploy. In the Deployment Status dialog box, click Close. The traffic starts flowing to the RSA-Decoder.
Hunting for Suspicious Activity
This section describes how analysts can use RSA NetWitness tool to perform hunting operations to identify malicious activities and troubleshoot network configuration problems.
1. Click the RSA NetWitness link in the email.
2. Scroll down and click Accept.
3. Login to RSA NetWitness with admin as the username and netwitness as the password.
8. Drag the window pane up and scroll down to view the meta keys.
The meta keys show unusual activity by the admin account. Clicking on that specific meta key value opens the investigation window and shows only data that’s relevant
to that user account.
Analysis
A full packet capture technology such as RSA NetWitness Logs and Packets can have hundreds and hundreds of terabytes of data in a system. Querying that amount of data can be very cumbersome. Due to the use of the meta data that RSA NetWitness Logs and Packets employs, querying is very quick.
The section at the top (username=’admin’) is the query that has been run against the RSA NetWitness Logs and Packets meta data. It is called a breadcrumb. The breadcrumb shows the current subset of data that analyst is working.
In this case, only data that is relevant to the admin account is displayed. The green text the session count for this category.
Looking at admin account attempts, the data shows that the attempt was from a single source and against two different webservers.
The data also shows that a default password of ‘password’ was being used. Click on
the green session count next to the password value.
This Details page displays detailed information about the sessions. Click View
Details to see the event reconstruction.
You can see that the “Object not found” is displayed. Click the Best Reconstruction drop down and select View Text. Scroll down to one of the requests and you can see the credentials being used.
Without RSA NetWitness Logs and Packets, you would have to collect logs from the webserver and analyze network traffic if available to identify the suspicious activity.
