Professional Documents
Culture Documents
RSA Security Analytics 10.5 - Demo v11.1
RSA Security Analytics 10.5 - Demo v11.1
RSA Security Analytics 10.5 - Demo v11.1
RSA, The Security Division of EMC - For Approved RSA Use Only
Table of Contents
Introduction........................................................................................................................ 3
Business Challenge ....................................................................................................................... 4
Solution .......................................................................................................................................... 5
Troubleshooting............................................................................................................. 143
General Troubleshooting and Tips ............................................................................................. 144
RSA Security Analytics Troubleshooting & Tips......................................................................... 145
Conclusion..................................................................................................................... 147
Conclusion ................................................................................................................................. 148
Introduction
Page 3
Business Challenge
Today's security threats are multi-faceted, dynamic and stealthy. Staying in front of attackers has never
been more difficult. Attackers are spending significant resources to learn about an organization in order
to develop malware to specifically target that organization. Relying on signature-based tools has
become an ineffective method against these threats as they have never been seen before.
Organizations need the tools to help them quickly detect compromises, use of non-standard
communication tools, and exfiltration or sabotage of critical data as well as manage the workflow of
detection to remediation. These tools will enable them to confirm infections and take action.
Page 4
Solution
Security Analytics will address the requirement for tools to enable quick detection of compromises, use
of non-standard communication tools, and exfiltration or sabotage of critical data.
This solution provides the following:
With RSA Security Analytics, organizations can:
Augment the existing SIEM capabilities with better visibility, analysis and workflow
Inspect every packet session for threat indicators at time of collection with capture time
enrichment
Instantly pivot from incidents into network packet detail to perform network forensics and
understand the true nature and scope of issues
Page 5
Key Components
Page 6
Page 7
Lab Overview
Page 8
Lab Environment
The environment for this lab includes the following:
1 Windows 2012 Launch Pad
1 Windows 2012 Domain Controller
1 Security Analytics Hybrid Server
1 Security Analytics Event Stream Analyzer
Page 9
Lab Credentials
LaunchPad
vlab\Administrator / Password123!
All other machines are available through the mRemoteNG available on the LaunchPad desktop.
Credentials for Windows machines (Domain Controller) are: Administrator / Password123!
Credentials for appliances (saesarchvr, sahybrid) are: root / netwitness
Security Analytics UI
admin / Password123! - Administrator
alex / Password123! - Limited Access
amy / Password123! - Data Privacy Officer
sam / Password123! - Level One Analyst
chris / Password123! - Level Two Analyst
Page 10
Lab Scenario
Chris is a level two security analyst. He monitors the incident queue for alerts that may indicate
compromise of systems. He wants to improve the visibility into the systems as well as the efficiency of
the analysts. His manager, Jim, wants to standardize the work flow as well as gain visibility into it.
Page 11
Labs
This lab includes the following labs:
Security Analytics Overview
Security Analytics Intelligence and Business Context - How to know what to look for
Dynamic DNS and Data Exfiltration
WebShell Attacks - How to Detect and Respond
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Step 4 Dashboard
An analyst may start the work day by logging in and viewing the dashboard. An analyst may have more
than one dashboard defined.
1. Click Default Dashboard
2. Click Demo
Page 20
Page 21
Page 22
When talking about a full packet capture technology such as RSA Security Analytics, there may
be hundreds and hundreds of terabytes of data in a system. Querying that amount of data can
be very cumbersome, but because of the use of meta data that RSA Security Analytics employs,
it is very quick.
Step 6 Breadcrumb
The section at the top is the query for the sessions that has been run against the RSA Security
Analytics meta data. This is called the breadcrumb. The breadcrumb shows the current subset
of data that the analyst is working with.
Page 23
In this case you are looking at the data that is relevant to that phishing attempt alert that was
clicked.
It is possible to query on the alert itself as shown below.
Page 24
Page 25
Page 26
Page 27
Double-clicking recreates the session that triggered the alert. In this case, it shows the phishing attempt
was in the form of an email.
It looks like an email from Facebook, the gist of which was that changes were made and asking the user
to login and update his or her account.
1. Click on the www.facebook.com link in the email.
Page 28
The next thing the analyst needs to do is find out who clicked on it. There were several emails that went
out to people in the organization. It is important to understand who actually clicked the link to identify the
damage that has occurred.
Page 29
Page 30
14.1 Apply
1. Click Apply
Page 31
Page 32
Page 33
With the knowledge that was learned from that 2 minute investigation, the analyst can send the
details off to the email filtering provider to identify how the mail filtering solution missed this
email, and the IT department can remove the malware that was launched from the 3 infected
machines. This visibility will allow closure of the hole in the existing security layers and clean up
the damage before the incident could spread too far.
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Step 5 My Incidents
RSA Security Analytics offers organizations a unified platform for incident detection, investigations,
compliance reporting and, advanced security analysis. This allows the organization's highly skilled
security personnel to be more efficient and less skilled security personnel to be more effective.
Instead of starting at the dashboard, an analyst may start his or her day by going to the incident
management queue. This is a built in incident management capability within Security Analytics. The
idea is that this has been operationalized so that when alerts come in of a certain priority, they can
create an incident of a certain priority so that the analyst knows what to work on first
We can see incidents that have been created manually as well those generated automatically and have
been assigned to the users queue.
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65
Step 14 Summary
From a single user interface, and in only a minute or two, the analyst was able to determine who was
infected, how they became infected, and what damage was done to the business. With this information,
the organizations can close the holes in their security layers and alert the business on the details of
what information was exfiltrated.
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Step 4 Reports
Key solution: RSA Security Analytics for Packets and Logs
Security Analytics allows for the reporting of all network, log, and net flow and endpoint data from a
single interface. By leveraging a feed of known dynamic DNS top level domains, Security Analytics can
produce a rich report summarizing all activity that has been seen both on the wire (packets) or from
various devices in the network such as proxies and firewalls (logs). In addition to just tagging traffic to
and from dynamic DNS domains, Security Analytics can add valuable business and asset context to
help an analyst sift through the noise. In this sample report, the analyst can see the dynamic DNS traffic
split by asset criticality and function.
Page 75
4.1 Reports
Choose Reports to examine a report based on the most recently captured data.
Page 76
Page 77
Page 78
Step 5 Investigation
Choose the appropriate meta group by
1. Click on the menu next to Profile
2. Choose Use Meta Group
3. Choose DynDNS
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
7.2 Downloads
Navigate to the Downloads directory
1. Right-click on M-schematic.png.tmp
2. Click Open with...
Page 87
Page 88
Page 89
Page 90
Page 91
Without being able to reconstruct the entire HTTP session (request and response), traditional toolsets
do not allow an investigator to see into enough of the attack lifecycle to understand the initial attack
vector (Delivery, Exploit/Installation), what an attacker is doing (C2), and what the impact to the
business is (Action). For example, a traditional logs-only SIEM has no way to alert on suspicious HTTP
sessions of this nature unless a downstream signature-based tool such as an IDS/IPS or web proxy has
seen the exact attack before. Furthermore, HTTP sessions cannot be reconstructed with log data alone,
meaning a complete lack of visibility into C2 commands, data exfiltration, and initial entry vector.
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
5.1 Investigation
1. Click Investigation
2. Click Navigate
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
1. Double-click the second event with Source IP Address 67.202.59.203 and Destination IP of
192.168.1.55
Page 105
Page 106
Page 107
2. Click Remove
Page 108
Page 109
Page 110
Page 111
11.1 Modifying the Query to Request HTTP Sessions Originating from the Attacker
IP Address Prior to the Alert
1. Change ip.dst to ip.src
2. Click OK
Page 112
Page 113
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Click Advanced.
Page 122
Page 123
Page 124
Page 125
4.1 Alerts
By accessing the alerting module of Security Analytics, an analyst is notified about a critical event which
has just happened. The rule behind this alert is specifically looking for a user that uploaded a file via
FTP to a critical server exposed to the Internet without submitting a change request first, which would in
effect be an internal policy violation. However, the alert has an elevated severity because it also implies
the same file being downloaded from an external website visitor shortly after.
1. Click Alerts
2. Click Summary
Page 126
Page 127
Step 5 Investigation
Choose the appropriate meta group by
1. Click on the menu next to Profile
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134
Page 135
Page 136
Page 137
Page 138
Page 139
Page 140
Page 141
Page 142
Troubleshooting
Page 143
Page 144
Page 145
Page 146
Conclusion
Page 147
Conclusion
RSA Security Analytics offers organizations a unified platform for incident detection, investigations, and
advanced security analysis. This will allow their highly skilled security personnel to be more efficient
and less skilled security personnel to be more effective.
Page 148