RSA SECURITY ANALYTICS

Network Monitoring & Forensics

AT A GLANCE

Today's threats are multi-faceted, dynamic and stealthy. The most dangerous

Augment your existing SIEMs

attacks have never been seen before, rendering signature-based technologies

capabilities with better

ineffective. These threats often don't leave a footprint in logs, so security teams

visibility, analysis and

must augment their existing security technologies with network packet-based

workflow.

detection and investigations. To be effective, today's tools need to be able to

Discover attacks missed by

handle the most current threats and handle issues like:

other tools

Lateral movement of threats as they gain foothold

Inspect every packet session

Covert characteristics of attack tools, techniques & procedures

Use of non-standard communication tools

Exfiltration or sabotage of critical data

for threat indicators at time of

collection with capture time
data enrichment

SECURITY TEAMS NEED MORE FIREPOWER

Instantly pivot from incidents

into network packet detail to

To raise their game security teams need more effective threat detection and need

perform network forensics and

to conduct investigations significantly faster. This includes the ability to look at all

understand the true nature and

this data with the minimum amount of manual effort, detect abnormal activity,

scope of the issue

analyze potential threats, and do a more detailed investigation of those threats

that pose the biggest risks. When seeking more clarity and definitive answers to
the most challenging security questions, security teams need a deeper level of
detail and the agility to quickly examine application layer sessions and events in a
way that is easy to comprehend and this needs to be done in a matter of
minutes, not hours or days.

RSA Security Analytics for Network Forensics

DEEP VISIBILITY DRIVES DETECTION

RSA Security Analytics captures and enriches full network packet data alongside
other data types, like NetFlow, logs and endpoint data. RSA Security Analytics is
a security solution with a flexible, modular approach allowing you to choose the
full solution or to augment your existing security technologies with just network
DATA SHEET

packet-based detection and investigation capabilities.

RSA's Network Forensic and Monitoring solution:

Performs data enrichment at the time of capture. It uses the solution's

patented metadata framework to organize the data in a clear and navigable
way. The metadata framework is based on a lexicon of nouns, verbs and
adjectives characteristics of the actual application layer content and
context parsed by Security Analytics at the time of capture. The metadata
from the packets is normalized so the analyst can focus on the security
investigation instead of data interpretation.

Executes rapid, deep investigation into network data. Having full

network packet data allows you to readily reconstruct exactly what happened.
With RSA Security Analytics this happens instantly since the network raw data
is tagged at the time of capture for rapid retrieval in the event of an
investigation, rather than the slow reconstruction of that data when
investigating a problem, when time is at a premium. In addition, the incident
management capability built into RSA Security Analytics lets investigators
collaborate, annotate and manage response activities around a particular
issue.

Automatically updates with latest threat intelligence. RSA Security

Analytics includes hundreds of parsers, plus dozens of correlation rules and
feeds that detect the most current threats. RSA automatically delivers this
threat intelligence to customers and embeds it into their systems. Therefore,
users are able to more easily take advantage of what others have already
found and spend less time building their system to identify threats that exist
in their own environment.

CAPTURE TIME PACKET DATA ENRICHMENT

MAKES DETECTION AND INVESTIGATIONS
FASTER AND EASIER
RSAs security approach is akin to removing the hay (of known good) until only
needles (likely bad issues) remain, as opposed to traditional security approaches
which attempt to search for needles in a giant haystack of data. To achieve this,
RSA performs deep data enrichment right at the time of capture making it much
faster and more valuable for analysis in the midst of an investigation. This
includes additional context, such as asset criticality, vulnerability data, risk level,
event type, event source, device information, IP information, and configuration
data expressed in over 175 different metadata fields. The figure below shows a
sample of session characteristics captured by RSA Security Analytics.

UNIQUE DISTRIBUTED ARCHITECTURE FOR

SCALABILITY
RSA Security Analytics unique architecture allows organizations to collect and
analyze large amounts of data and expand linearly. The federated infrastructure
allows organizations to scale, while still maintaining the ability to analyze and
query seamlessly across the system. In order to enable application layer traffic in
real-time at high data rates, the capture infrastructure must scale out as well as
scale up. The distributed and hierarchical nature of the Security Analytics
infrastructure enables an organization to incrementally add data collection,
analysis, and archiving as-needed. In higher throughput environments, the ability
to separate primary read and write-to-disk functions allows Security Analytics to
maintain both high capture rates as well as fast analytic response times.

FLEXIBLE INTEGRATION
Integrate with your existing SIEM implementation by using RSA Security
Analytics open API to extend the value. This gives you the ability to easily
investigate alerts found in your existing SIEM using RSA Security Analytics, or
forward alerts from RSA Security Analytics to your SIEM or other tool.
RSA Security Analytics also has the ability to combine your existing SIEM alerts
with RSA Security Analytics alerts in the Incident Management console. This gives
analysts the ability to aggregate alerts across tools into security incidents, which
then are prioritized for a much more informed and efficient response.

CONTACT US
To learn more about how EMC
products, services, and solutions can
help solve your business and IT
challenges, contact your local
representative or authorized reseller
or visit us at www.emc.com/rsa.

EMC2, EMC, the EMC logo, and RSA are registered trademarks or trademarks of EMC
Corporation in the United States and other countries. VMware is a registered trademark or
trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2014 EMC
Corporation. All rights reserved. Published in the USA. 08/14 Data Sheet H13416
EMC believes the information in this document is accurate as of its publication date. The
information is subject to change without notice.