Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2014 > September

We are very excited to announce a set of new content specifically designed to take advantage of the release of RSA Security Analytics 10.4 and RSA ECAT 4.0!


One of the major content highlights of the Security Analytics 10.4 release is the addition of NetFlow support. To take advantage this new feature, we’ve created a suite of NetFlow rules and reports that will allow you to collect and correlate flow-based host and protocol statistics. This allows our customers to better detect potentially malicious activity that may not occur underneath the umbrella of a packet or log decoder.


Another highlight of the releases is the deeper integration between RSA ECAT and RSA Security Analytics and the ability for ECAT to utilize RSA Live feeds.  This content release includes a set of correlation rules from Event Stream Analysis (ESA) to integrate endpoint data with log and network data.  Additionally, we have provided a set of new threat detection rules to detect identity abuse and DoS events.



•      New NetFlow reports providing a summary of top talkers, protocols, and applications.

•      New NetFlow alerts triggering on high volume TCP reset events, as well as SYN flood detection.

•      Netflow reports for “First Heard” source and destination IP.


Endpoint detection with RSA ECAT alerts

•      New correlation rules in ESA for detecting malicious end-point activity found by ECAT combined with network activity captured by Security Analytics. Use the power of both tools to gain a broader visibility into your environment and detect compromised hosts.


Threat Detection

•      New correlation rules in ESA rules to identify potential identity abuse and suspicious privileged escalations.

•      ESA rules to identify multiple denial of service techniques.





The RSA Advanced SOC Content Team

When working in a Security Operation Center, it is not uncommon to continuously adapt the people, the processes and the technologies to objectives that evolve over the time because both the business requirements are dynamic and the threat landscape out there is never the same. Every single environment is somehow unique and each organization has peculiar needs which are eventually reflected in the way the SOC operates and achieve its goals.


While adapting to new situations is inherent to the human nature, each piece of technology has instead embedded a logic that is not always easy to subvert. This is why relying on products which would allow a high degree of customization could become a key element in an organization's SOC strategy, leading to easier integrations with the enterprise environment, increased quality of the service and eventually a better Return on Investment.


Flexibility has always been a central element in Security Analytics and easily adapting the platform to handle custom use cases is a key factor. But you would say, let’s prove it then!


During the last few weeks, I have posted a few articles here about customizing the platform, intended to demonstrate how to get more value out of it or to achieve complex use cases.


In my first post (available at I shared some simple rules intended to promote a standard naming convention and approach to "tag" inbound/outbound connections as well as to name our networks.

Understanding which connection is going in or out our network is key to better focus our investigation, running our reports, configuring our alerts. Tagging our network is on the other hand relevant to better determine which service is impacted, evaluate the risk and prioritize our follow-up actions accordingly.


In my second article (available at I focused on how to enhance the log parsing mechanism by leveraging parsers commonly used to analyze a network stream, which are more flexible and powerful. I demonstrated a specific use case by providing a sample parser which is generating a hash of the entire log message and storing it in a meta key. This is for example a common scenario when a compliance requirement mandates to achieve a per-event integrity check.


In my third post (available at I discussed a simple but interesting scenario. The Event Stream Analysis module, responsible in Security Analytics to correlate logs and packets meta to identify potentially malicious or anomalous activities, is often then the last link of the chain, transferring the elaboration outside the platform (to the analyst, to a ticketing system, etc.). There are however many relevant use cases that can be accomplished by feeding this information back into Security Analytics to, just to name a few, provide additional context during an investigating making available all the alerts triggered by a specific user/endpoint or implement a sort of multi-step correlation scenario. Sample parsers have been provided also in this case.


In my last post (available at I wanted to recall a capability already mentioned a few times in the discussions here but never emphasized enough that is leveraging parsers to post-process the meta values created by a log parser with the purpose of generating new piece of meta. A typical example is to split a URL identified by all the parsers in domain, TLD, directory, page and extension. Applying the logic in all the log parsers generating URLs may be possible but does not scale very well. A single parser can instead do the job easily and effectively.


All of those examples are intended to prove how a technology, when designed to be flexible, can easily adapt to specific situations so supporting the achievement of complex use cases or ad-hoc requirements.

Here at RSA we are excited and pleased to announce the highly anticipated, external joint launch of RSA Security Analytics 10.4 & ECAT 4.0.  No other tool on the market today gives you the capability and power to "Be The Hunter". 

With this latest release of Security Analytics and ECAT, three words define our mission:  Visibility. Analysis. Action.  We are providing SOC teams broader visibility, enabling the team to focus on the most important incidents. We’re also enabling rapid analysis and faster investigations of incidents leveraging data from Network Packets, Endpoints, Logs and Netflow all in one platform.  That way, they get to understand the true nature, scope, and impact of an incident to take targeted action.

RSA Security Analytics 10.4 overview:

  • Expanded Collection Options
    • Netflow support
    • CEF support
    • Support for 250+ Log Sources
  • Enhanced Network Investigations
    • Accelerated UI performance
    • Streamlined analyst workflow and more!
  • Tighter Integrations with RSA ECAT
    • Providing extended visibility down to the endpoint
    • Correlate network data, logs, and endpoint data
    • Pivot from Security Analytics Investigation directly into ECAT for deeper endpoint investigations
  • SIEM and Beyond Analytics
    • Centralized rule management
    • Alert Enrichment Options & Enhanced Alerting Capabilities
    • Data Science Driven Advanced Analytics leveraging the Pivotal HD Data Warehouse
  • Native Incident Triage/Management
    • Single console for managing queues and investigating issues
    • Centralized view into incidents across SA enabling analysts to rapidly identify, triage, investigate and respond to security events
    • Combined view of alerts from logs, packets, malware, ECAT
    • Integration with SecOps and ticketing systems
  • Platform Enhancements


RSA ECAT 4.0 Overview:

  • Scalability & Manageability Improvements
    • 50K hosts per server (2.5x increase)
    • Unified view in Console UI
  • Completely Redesigned UI
  • Enhanced Detection Capabilities & Real-time Alerting
    • Alert on suspicious behavior in real-time
    • Early warning of potentially malicious activity
    • Send to Security Analytics or other SIEM solutions
  • Mac OS X Support
  • RSA Live Support
  • Tighter Integrations with RSA Security Analytics
    • More ECAT metadata fed into Incident Management and SA Investigation


Check out the Virtual Event here: RSA Security Analytics 10.4 and RSA ECAT 4.0 Virtual Launch Event.  Tell us what you think!

“Look out honey, ‘cause I’m using technology”

– from Search And Destroy by Iggy & The Stooges


The old saying goes “You cannot stop what you cannot see”. This is why one of our obsessions in the Advanced SOC group at RSA is our focus on visibility. We want to ensure that our customers have the broadest view possible so they stop missing attacks that are putting their organizations at risk.  One reason they are missing attacks is because they are relying on a log-centric approach.  This limited scope means that they are only getting insight into the most basic security data, and missing out on the rich context that would give them a fighting chance to defend their organization against advanced attackers.


RSA Security Analytics is the only solution that has visibility across log, network packet, NetFlow and endpoint data in single infrastructure.  This broad view gives analysts the ability to see everything happening in their environment, not just what was logged. Utilizing a risk-based approach to data collection allows organizations to collect the data that is appropriate for their needs and use cases.  Each of these data sources provides teams with a different perpective:


  • Logs: Logs give basic security information and can be useful to spot previously seen attack signatures. While helpful, they dont have the deep detail to spot many attacks, especially advanced attacks, and lack the context to understand what is truly happening and what to do about it. This is partially why log-centric SIEMs struggle at incident detection, investigation and response.
  • Packets: Full packet capture is the most important data source for incident detection, investigation and response. Packets give the SOC visibility to see everything happening on their network, especially when the data is enriched at capture time with additional context. Utilizing packets SOCs can understand what exactly happened, what was targeted and how they were impacted.  This is absolutely crucial to go beyond basic correlation and move to an intelligence-driven security approach.
  • NetFlow: NetFlow, while not nearly as rich as Packets, can be a useful data source. We see NetFlow serving two primary use cases.  First, for those who have logs and want more visibility into network traffic but aren’t ready for packets NetFlow is a good in-between step.  Second, NetFlow is a good fit for those who want visibility into internal traffic, typically to detect lateral movement.  Packets are best for this use case but are not always realistic to be deployed at this scale. As an alternative, NetFlow gives organizations some visibility here to help spot internal movement of attackers.
  • Endpoints: Endpoint data is in some ways the forgotten ingredient for complete visibility.  While some SIEMs offer basic endpoint information, it is nowhere near the level of detail needed to be helpful for detection or investigations. Using RSA ECAT and its unique scan technologies, SOCs can get a real-time x-ray view into what is happening on the endpoint. This gives teams the ability to detect threats undiscovered by traditional AV, conduct deep dive investigations on the endpoint and analyze and combine this data with log and network information gives teams a much more robust view of their environment.  RSA ECAT also has the added advantage of instantly identifying all other machines that were infected to know how far the threat spread.  This way SOCs can not only detect the attack and understand what the attacker attempted to do, but also see where they are still vulnerable. 


At RSA we’re obsessed with providing the broadest visibility possible from logs to packets to NetFlow to endpoints.  Utilizing a risk-based approach to data collection SOCs can choose the right data for the right use cases giving them not just visibilitybut the right kind of visibility.


What types of data sources do you rely on?  Where could you use more visibility?

A teaser session on youtube from Jessvin Thomas of Accuvant.  At the Summit you can hear this and many other sessions live....If you attend!

Filter Blog

By date: By tag: