31
1 RSA NETWITNESS ® PLATFORM Andy Waterhouse EMEA Presales Director Twitter : @Andy_J_W
1
RSA NETWITNESS ®
PLATFORM
Andy Waterhouse
EMEA Presales Director
Twitter : @Andy_J_W
22
ORGANIZATIONS FACE DIFFICULT SECURITY CHALLENGES
Difficult to see any and all threats
– wherever they reside in a
modern IT infrastructure
A SHIFTING LANDSCAPE
Skilled analysts are in short
supply, and teams struggle to
effectively combat threats
RESOURCE SHORTAGES
Difficulty linking security alerts
with business context and risk,
resulting in a lack of focus on the
most important threats
BUSINESS RISK INSIGHTS
3
ATTACKERS TAKE ADVANTAGE OF CHALLENGES TO TURN COMPROMISES INTO BREACHES
Minutes Hours Days Weeks Months
Breach
Detected
Breach
Detected
3rd Party
Detection
compromised in
MINUTES82%of exfiltration
occurred in DAYS99% discovered in
MONTHS64%
Spear Phishing
AttackMalware
Installed
Initial Compromise
Communicate to
External Server
(C2)
Breach
Lateral
Movement
Discover
Critical Assets
Data
Exfiltration
4
Confidential
DataNGFW IDS / IPS NGFW
Malware Tool misses
UNKNOWN, NEW threatNGFW has no
rule for/against
threat traffic
NGIPS has no
signature to stop
the threat traffic
NetFlow Analyzer sees
lateral movement but
from a known user
NGFW has no
rule for/against
threat traffic
AV/NGAV misses
user downloading
unknown malware
VMs further
inhibit visibility
into threats
Visibility into threats in the
Cloud is an even bigger
challenge
LOGS PROVIDE ONLY LIMITED VISIBILITY
5
AND THE FLOOD OF DATA CAN BE OVERWHELMING
SIEM / Logs NetFlow Collector / NBAD Full PCAP / Network
Forensics
Endpoint Security Data Capture across Cloud
The need for
visibility
drives
organizations
to add more
data sources
But too much
data from
disparate
sources can
obfuscate real
threats
Manual correlation and analysis make
it NEARLY IMPOSSIBLE to respond in
time and prevent breaches
!
!!
!!
! !
!
!
!!
!
!!
!!
!
!!
!
!!!
!!
!
!!
!! !
!
!!
!!
!
!! !
!! !
!!!
!!
!
!!
6
SECURITY TEAMS STRUGGLE TO ASSESS & ACT
Is this a real incident?
➢ Did any new processes execute on the
target?
➢ Were there any communications back to the
attacker?
What’s the scope of the incident?
➢ Based on the initial incident, are there other
systems affected?
What’s the impact of the incident?
➢ What data was exfiltrated?
What actions are required to mitigate?
!
!
!
!!
! !!
!
!!
!
!
!
!! !
!!
!
!
!!!
!!
!
?
7
AN EVOLVED SIEM PLATFORM THAT PROVIDES…
Eradication
of ThreatsEnable security teams to act
and mitigate the full attack
before it can impact the
business
Automated response
Orchestration across entire
SOC
Insight into the
Full Attack ScopeValidation of incidents with
Endpoint and Cloud
visibility and analysis
Orchestration across your
entire security arsenal to
accelerate incident
response and automation
Complete
VisibilityVisibility across Endpoints
(OS-level), Logs, Networks
(Packets), VMs and the
Cloud – Combined with
threat intelligence and
business context
Consumption and
transformation of data into
usable threat metadata
Detection of
Advanced AttacksMultiple sets of analytic
techniques: Data science
modeling and machine
learning; user & entity
behavior analytics (UEBA)
Processing of large volumes
of threat data for complete
threat detection
8
SPEED OF DETECTION & RESPONSE IS CRITICAL
THE LONGER THEY ARE IN,
THE HIGHER THE RISK
Risk
Time
An
aly
st
Tim
e &
Skil
ls R
eq
’d
Detect Incidents Earlier Before Impact
9
THE RSA NETWITNESS PLATFORM ARCHITECTURE
ANALYSIS
User
Behavior
Analytics
Archiving
Real-
Time
Detection
Clo
ud
On
Pre
mise
s
Intelligence &
Context Tagging
VISIBILITY
Enrich
Threat Intel | Business
Context
Rules | Parsers Reports | Feeds
Powered by RSA Research, Incident Response, and Engineering, plus RSA
Community
RSΛ
LIVE
Investigation
Compliance
ReportingEndpoint
Analysis
Session
Reconstruction
Incident
Management
ACTION
Orchestration
and
Automation
PACKETS
LOGS
NETFLOW
ENDPOINT
10
RSA NETWITNESS PLATFORM
ACCELERATED THREAT
DETECTION FROM THE
ENDPOINT TO THE CLOUD
FORCE MULTIPLIER FOR SECURITY
ANALYSTS & INCIDENT RESPONDERS
A BUSINESS-DRIVEN SECURITY
APPROACH, PROVIDING BUSINESS
CONTEXT
INTELLIGENCE-DRIVEN SOC
11
RSA NETWITNESS UEBA
DETECT THE UNKNOWN WITH MACHINE LEARNING ANALYTICS
12
RSA NetWitness UEBA is a purpose-built, big-data ready,
user and entity behavior analytics solution integrated as a
central part of the RSA NetWitness Platform.
By leveraging unsupervised statistical anomaly detection and
machine learning, RSA NetWitness UEBA provides
• Comprehensive detection for unknown threats based on
behaviors at every step of the attack lifecycle
• Without the need for analyst tuning.
• Powerful machine-learning engine and breadth of use cases
DETECT THE UNKNOWN
RSA NETWITNESS UEBA
FEWER
ALERTS
HIGHER
QUALITY
WINNING
STRATEGY
1313
RSA NETWITNESS UEBA
UNIFIED
METADATA
TAXONOMY
USER
BEHAVIORAL
BASELINE
NATIVE DATA COLLECTION. ANALYTICS.
ANOMALY
DETECTION
ENRICHED USER
CONTEXT
ANOMALIES
INVESTIGATION
USE CASE
FOCUSED
UNSUPERVISED MACHINE
LEARNING
ALERT
CORRELATION
DATA
INGEST
BEHAVIORAL
MODELING
RISK SCORE
& PRIORITY
INVESTIGATION READY.
14
DETECT IDENTITY-BASED ANOMALIES FOR MORE COMPLETE INCIDENT RESPONSE
WHY RSA NETWITNESS UEBA
MULTI-TIERED
UNSUPERVISED
MACHINE LEARNING
STATISTICAL
ANALYSIS
ADVANCED
CORRELATION
SEAMLESS ANOMALY
EXPLORATION
AUTONOMOUS
TUNING
RECURRSIVE PATTERN
RECOGNITION
STANDARD DEVIATIONS
NEW OCCURENCES
BEHAVIORAL OUTLIERS
DATA AGGREGATION FRAMEWORK
MULTIVARIATE ANALYSIS
ROBUST AND
COMPREHENSIVE
ADAPTIVE ALERT
PRIOTIZATION
STREAMLINED
INVESTIGATION
15
UNDER THE HOOD >_
WHY RSA NETWITNESS UEBA
TIME BASED
MODEL
CONTINUOUS
MODEL
AUTHENTICATION TIME ANOMALY
FILE ACCESS TIME ANOMALY
AD CHANGE TIME ANOMALY
unix timestamp= 1491988104iso 8601= 2017-04-12T09:08:24+00:00rfc 2822= Wednesday,12-Apr-17 09:08:24 UTC
computers accessed=23failed logons= 144Files copied=6544
HIGH NUMBER OF FILES ACCESSED
HIGH NUMBER OF AD CHANGES
HIGH NUMBER OF FAILED LOGONS
CATEGORICAL
MODEL
computer name= pc1failed logons= 144files copied= 6544
NOISY FEATURE REDUCTION
RARITY REDUCTION
CERTAINTY REDUCERS
GLOBAL
MODEL
application= outlook.execomputer name= pc1country= nz
SOURCE COMPUTER ANOMALY
FOLDER ACCESS ANOMALY
SERVER ACCESS ANOMALY
16
• Natural language indicators (aligned with MITRE ATT&CK
framework)
• Nondeterministic detection approach
• Innovative Risk Scoring. Dynamic statistical risk scoring
mechanism based on indicators clustering and synergy.
FALSE POSITIVES ARE A THING OF THE PAST
JUMPSTART INCIDENT INVESTIGATION
ALERT
CORRELATION
RISK SCORE
& PRIORITY
*HANDS OFF* INNOVATIVE MACHINE LEARNING POWERED ENGINE
OUTPUT
BEFORE SCENARIO
• Siloed (and FIFO)
• Point in time (alert fatigue)
• Complex
• Not-actionable alerts
• Open-ended questions
AFTER SCENARIO
• Aggregated & Adaptive. Stitching hundreds of
point anomalous indicators
• Higher fidelity. Enable instant pivot and full
attack scope view
• Out-of-the-box. No predefinitions no
thresholds required
• Context Rich.
17
BECAUSE. USE CASES.
WHY RSA NETWITNESS UEBA
Time-related
data-transfer-volume and event-source related anomalies
geographical location and speed
Compromised account
command and control (C2) activity
data theft/exfiltration or data staging
lateral movement
active directory attackshared user credentials
privileged user account abuse
geolocation and remote access anomalies
snooping and reconnaissance
advanced malwareBrute-force attempts
Suspicious access
Abnormal system access
privilege elevation
password spray
18
• Unusual number of failed logons
• Logon from a suspicious system
• Logon at unusual time
• Logons to multiple account
from the same IP address
Brute force attack
to compromise user
credentialsHorizontal movement across
Active Directory to gain more
wide-spread access
• AD account added
to privileged group
Crown jewel theft: all
passwords harvested, user
PII data exfiltrated, etc.
• Abnormal machine
accessed
• Extraordinary number of
files accessed
BECAUSE. USE CASES. AD ATTACK TOP INDICATORS
WHY RSA NETWITNESS UEBA
ATTACKER
RSA NETWITNESS
UEBA DETECT
Attacker obtains
elevated privilegesBackdoor account
created in AD, granted
privileged rights
• New AD user
account created
• AD account added
to privileged group
19
RSA NETWITNESS USER INTERFACE
READY TO GO!
20
RSA NETWITNESS USER INTERFACE
READY TO GO!
21
RSA NETWITNESSORCHESTRATOR
UPLEVEL YOUR SOC
22
Gartner defines security orchestration, automation and response, or SOAR, as technologies
that enable organizations
• ORCHESTATION [to collect security threats data and alerts from different sources, where
incident analysis and triage can be performed leveraging a combination of human and
machine power]
• AUTOMATION [to help define, prioritize and drive standardized incident response activities
according to a standard workflow.]
SOAR tools allow an organization to define incident analysis and response procedures (aka
plays in a security operations playbook) in a digital workflow format, such that a range of
machine-driven activities can be automated.
WHAT IS ORCHESTRATION AND AUTOMATION?
23
• Comprehensive security operation and automation technology that
combines
• full case management,
• intelligent automation and orchestration, and
• collaborative investigations.
• leveraging playbook-driven automated response actions, and machine-
learning powered insights for quicker resolution and better SOC efficiency.
RSA NetWitness Orchestrator acts as the connective tissue not only for the
RSA NetWitness Platform, but extends across a SOC’s entire security
arsenal.
AUTOMATE THE KNOWN. DETECT THE UNKNOWN.
RSA NETWITNESS ORCHESTRATOR
24
• 160+ Technology partners interoperability's with more
than 1000 bi-directional (push, pull) action types
• Open and extensible platform
• Apps built in Python and Javascript
• Connectors: SQL, SSH, WMI, RESTful API, HTTPS, SOAP
ORCHESTRATION. LEVERAGE EXISTING INVESTMENTS.
WHY RSA NETWITNESS ORCHESTRATOR
AUTHENTICATION
CASE MANAGEMENT
DATA ENRICHMENT
VULNERABILITY
SIEM
THREAT
INTEL
NETWORK
FORENSICSANALYTICS
BYOI
BI-DIRECTIONAL
INTEGRATION
FEATURE-RICH
ACTIONSOOTB NETWORK
& BYOI
25
CASE MANAGEMENT. BREAKING DOWN SILOS.
WHY RSA NETWITNESS ORCHESTRATOR
ALERTS
/INCIDENTSUSER/ENTITY COLLABORATION
CASE
MANAGEMENT
ADVANCED SEARCH
IP. USER. DOMAIN.
HASH. ENDPOINT. …
CUSTOMIZED VIEWS
PER INCIDENT TYPE
RELATED INCIDENTS EVIDENCE BOARD
LOG. PCAP. MFT.
MEMORY. AUDIT. …
DASHBOARD &
REPORTS
AUTO-DOCUMENTATION
26
PLAYBOOK-DRIVEN AUTOMATION
WHY RSA NETWITNESS ORCHESTRATOR
• Visual playbooks
representation and context
outputs and errors
• Review live playbook runs
• Avoid scripting for parsing,
filtering and much more
• Ability to customize and
create new technology
integrations & playbooks
• Aggregate playbook findings
for quick review
EVIDENCE
COLLECTION
HUNTING
USER/
MACHINE
CORRELATION
“BACK-
COLORING”
THREAT
INTEL
MATCH
27
MACHINE LEARNING
WHY RSA NETWITNESS ORCHESTRATOR
MACHINE
LEARNING
INCIDENT
OWNERSHIP
AUTOMATED PLAYBOOK
RECOMMENDATIONS
ANALYST
ACTIONS
ANALYST-TASK
MATCHING
EXTRACTING DUPLICATE
INCIDENTS
INCIDENT
TYPE
ANALYST LOAD
MESSAGES/
COMMENTS
MANUAL VS.
AUTOMATION
HISTORY
INFORMATION
FREQUENCY
SECURITY COMMANDS
& ARGUMENTS
28
RSA NETWITNESSPLATFORM 11.1
29
WHAT’S NEW IN RSA NETWITNESS 11.1
• Free endpoint context to accelerate threat detection & response • Delivers timely insights into endpoint hosts via scans• Simplifies Microsoft Windows Logs collection• Available free to RSA NetWitness customers
• Log visibility from new applications and systems• New innovative “dynamic parsing” technology enables
organizations to instantly parse new log data sources and immediately access critical security data
Dynamic Log Visibility
Introduction of RSA NetWitness® Endpoint Insights1
High Confidence Detection of Threats with New UEBA Content3
2
• Enables the high fidelity detection of user- and entity-based threats through a set of bundled UEBA content packs
• Correlate multiple data sources and identify anomalous or suspicious user behavior
Streamlined Security Management and Reduced Process Complexity4
• Continued innovation and improvements to help drive greater efficiencies for analysts of all skill and experience levels.
30
QUESTIONS?
31
THANK YOU !
Andy Waterhouse
EMEA Presales Director
Twitter : @Andy_J_W
