Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2014 > August

One of the key themes of the upcoming RSA Global Summit is how best to build up as well as out a security operations center (SOC).  This is not an easy task as it requires, more so than any other area of IT or IT security, the seamless marriage of the classic triad of people, processes, and technology.  Once an organization starts to recognize the need for systematic improvement in their incident detection and response, they come to recognize that technology generally is the least hard part of the equation.  In fact the building up and out of an organization’s SOC often coincides with their recognition that there is no such thing as a security “magic box”.  What is needed is a balanced approach where the technology both maximizes the efficiency and effectiveness of the SOC analysts as well as helps drive, prioritize, and maximize the continual processes that make up an organization’s incident detection, investigative, and remediation program.  The bottom line for this blog entry is if you want to engage deeper into this conversation in support of building up and out your organization’s SOC, plan to attend RSA’s Global (user) Summit this September 9-11.

We are pleased to announce the release of our August Content pack in RSA Live for Security Analytics! This release continues last month’s focus on illuminating instances of sensitive data leakage and offers content designed to profile host and user activity. We’ll also be introducing our first batch of correlation rules connecting the dots between what SA is seeing “on the wire” and ECAT’s host-based alerts. Last but not least, this release expands our ability to provide our customers with the tools to detect potential identity theft and abuse.

Detection of Data Exfiltration

  • Introducing new Application rules, ESA rules, and Reports for detecting large outbound connections to cloud services, 3rd party mailers, and common posting sites. Also included is detection content to help customers identify instances of internal data harvesting and subsequent posting to cloud drive services.

ECAT & Security Analytics

  • ECAT does an excellent job of detecting advanced threats affecting a host. To further complement its detection ability is a set of ESA rules that will look at both ECAT alerts and a protected host’s activity on the network. This builds a foundation for providing an unparalleled level of insight into the stealthiest of advanced threats. New are four ESA rules for correlating ECAT alerts with:


    • Core Botnet alerting
    • Beaconing activity
    • Audit log clearing
    • Suspicious encrypted traffic



  • As Identity theft, fraud, and abuse further escalates to the top of our customers concerns, new content is being developed to help detect unauthorized, abusive, or fraudulent user activity occurring on their networks. Identity content includes:


  • 2 ESA rules for detecting unusual administrative activity and suspicious account removal
  • 3 Reports for summarizing user account activity, privileged account activity, and all activity associated with a particular user list


Additional Log Support

  •   Support for Cisco Meraki and Safenet HSM platforms as well as updated support for 2 new and 28 updates

RATs are hard to deal with in part because they are small, scamper around generally unseen, and take your stuff without your knowledge.  Of course anyone in this product community who is reading this knows that I am talking about Remote Access Trojans and not the small mammals with small noses and big tails.  Computer RATs and the people that develop and use them are just as cunning as their furry namesakes, but are perhaps more dangerous.  There are many varieties of RATs out there (Hydraq, LURK, Sogu, Poison Ivy etc..), but in general they share many characteristics, such as they tend to be small and downloaded invisibly, delivered via an email attachment to an unsuspecting and sufficiently socially engineered user, typically enable user monitoring via keyloggers to steal the user’s credentials and other information, take screen shots of the host system for delivery to their master, install/delete software or reformat drives, not to mention “recruit” their hosts and others on the network into botnet armies.  In short, RATs can be extremely valuable to the bad guys and extremely annoying to you and your organization.  But how to detect and get rid of them? If you want to learn more about RATs and how to find and eradicate them from your environment, I encourage you to come and take part in our upcoming (early September in Washington DC) user conference, the RSA Global Summit.  There are two sessions that focus specifically on how to detect RATs, one by using RSA Security Analytics and its network-based visibility (Blind Spot Analysis – Finding RAT Communications Through Entropy and Analytics) and the other how to do it by leveraging RSA ECAT and its endpoint-level visibility (Catching the RAT with ECAT).  Both delivered by off-the-charts experts on the topic. Check out these sessions as well as dozens of others on the Summit registration site.

Filter Blog

By date: By tag: