RSA SECURITY ANALYTICS S E E E V E R Y T H I N G . F E A R N O T H I N G .

V A L E R I O C O L E T T I

R S A A C C O U N T M A N A G E R , P A R T N E R S A L E S

1 7 F E B B R A I O 2 0 1 6

2

At first, there were HACKS Preventative controls filter known attack paths

Evolution of Threat Actors & Detection

Implications

Malicious

Traffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Corporate Assets

Whitespace Successful HACKS

3

At first, there were HACKS Preventative controls filter known attack paths

Then, ATTACKS Despite increased investment in controls, including SIEM

Evolution of Threat Actors & Detection

Implications

Malicious

Traffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

More Logs

Corporate Assets

S

I

E

M

Blocked

Session

Blocked Session

Blocked

Session

Alert

Whitespace Successful ATTACKS

4

Now, successful ATTACK CAMPAIGNS

target any and all whitespace.

Complete visibility into every process and network sessions is required to

eradicate the attacker opportunity.

Unified platform for advanced threat detection &

investigations,

Evolution of Threat Actors & Detection

Implications

Malicious

Traffic

Firewall

Threat Actors

IDS/IPS

AntiVirus

Logs

Endpoint Visibility

Corporate Assets

Blocked

Session

Blocked Session

Blocked

Session

Alert

Process

Network Visibility Network

Sessions

Se

curi

ty A

na

lyti

cs

5 5

A new

approach is

needed

6

NetFlow Wide How far intrusion spread Endpoints

Extended Where is infection located

Logs Basic

Connection information

Packets Deep

How you got infected and what

attacker did

The Power Of A Modular Risk-Based Approach

Security Analytics

7

RSA Security Analytics Solution CAPTURE, ENRICH AND ANALYZE DATA FROM ACROSS YOUR NETWORK

Investigation

Compliance Reporting

Endpoint Analysis

Session Reconstruction

Incident Management

Capture Time Data Enrichment

LIVE

LOGS

PACKETS

ENDPOINT

NETFLOW

On

Prem

Cloud

Action Analysis Visibility

LIVE

Threat Intelligence | Rules | Parsers | Feeds | Reports | RSA Research RSA LIVE INTELLIGENCE

Advanced Analytics

ENRICH

8

Integrated Intelligence with RSA Live

Threat Intel | Biz Context

RSA LIVE

Rules | Parsers | DS Models Reports | Feeds

Powered by RSA Research, Incident Response & Engineering

OPERATIONALIZE INTELLIGENCE: Take advantage of what others have already found and apply

against your current and historical data

3 2 1

Gathers advanced threat intelligence and

content

Aggregates & consolidates

data

Automatically distributes

correlation rules, blacklists,

parsers, views, feeds

9

Logs, packets, NetFlow & endpoint together

Compliance & Reporting

Incident Response

Visibility far beyond logs

Event Correlation

375+log & network parsers / event

sources

275+ out-of-the-box correlation rules

Native, prioritized incident triage

Wider SOC management capabilities

90+ report templates Integration with compliance management program

Log & Network Mgmt.

Exceeding SIEM Requirements Out-of-the-Box content

10 10

Correlation across logs, packets, NetFlow and endpoint data - separately or together

Discover attacks missed by other tools

Real-time detection

- Ex. detecting a pdf containing an executable, followed by encrypted traffic to a blacklisted

country

Incident Detection

11

“Standard SIEM” Use Case with RSA Security Analytics

• Compliance

User Activity, Login/Logout, ..

• Security Alert

Failed Login followed by Successful Login, ..

12

“Advanced SIEM” Use Case with RSA Security Analytics

• Threat Intelligence

Malware, Trojan, ..

• Botnet

Internal Infected Workstation, ..

• GeoIP

Source and Destination Country, Suspicious

Country, ..

13

“Advanced SIEM” Use Case with RSA Security Analytics

• Advanced Persistent Threat

Command & Control, Data Exfiltration, ..

14

Prioritized Action

LIVE

Alerts

Investigation

Workflow

GRC

On

Prem

Cloud LOGS

PACKETS

ENDPOINT

NETFLOW

unified incidents & workflow

Native Incident Management

15

Benefits

Detect and analyze before attacks impact the business

Investigate, prioritize, and remediate incidents

Unleash the potential of your existing security team

Evolve existing tools with better visibility & workflow

16

Must be ARMED to quickly

identify and respond to attacks

before they can damage the

business

Constant compromise does not mean constant loss

Security Attacks

are Inevitable

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

See Everything. Fear Nothing.

18

Thank You