“Look out honey, ‘cause I’m using technology”
– from Search And Destroy by Iggy & The Stooges
The old saying goes “You cannot stop what you cannot see”. This is why one of our obsessions in the Advanced SOC group at RSA is our focus on visibility. We want to ensure that our customers have the broadest view possible so they stop missing attacks that are putting their organizations at risk. One reason they are missing attacks is because they are relying on a log-centric approach. This limited scope means that they are only getting insight into the most basic security data, and missing out on the rich context that would give them a fighting chance to defend their organization against advanced attackers.
RSA Security Analytics is the only solution that has visibility across log, network packet, NetFlow and endpoint data in single infrastructure. This broad view gives analysts the ability to see everything happening in their environment, not just what was logged. Utilizing a risk-based approach to data collection allows organizations to collect the data that is appropriate for their needs and use cases. Each of these data sources provides teams with a different perpective:
- Logs: Logs give basic security information and can be useful to spot previously seen attack signatures. While helpful, they don’t have the deep detail to spot many attacks, especially advanced attacks, and lack the context to understand what is truly happening and what to do about it. This is partially why log-centric SIEMs struggle at incident detection, investigation and response.
- Packets: Full packet capture is the most important data source for incident detection, investigation and response. Packets give the SOC visibility to see everything happening on their network, especially when the data is enriched at capture time with additional context. Utilizing packets SOCs can understand what exactly happened, what was targeted and how they were impacted. This is absolutely crucial to go beyond basic correlation and move to an intelligence-driven security approach.
- NetFlow: NetFlow, while not nearly as rich as Packets, can be a useful data source. We see NetFlow serving two primary use cases. First, for those who have logs and want more visibility into network traffic but aren’t ready for packets NetFlow is a good in-between step. Second, NetFlow is a good fit for those who want visibility into internal traffic, typically to detect lateral movement. Packets are best for this use case but are not always realistic to be deployed at this scale. As an alternative, NetFlow gives organizations some visibility here to help spot internal movement of attackers.
- Endpoints: Endpoint data is in some ways the forgotten ingredient for complete visibility. While some SIEMs offer basic endpoint information, it is nowhere near the level of detail needed to be helpful for detection or investigations. Using RSA ECAT and its unique scan technologies, SOCs can get a real-time x-ray view into what is happening on the endpoint. This gives teams the ability to detect threats undiscovered by traditional AV, conduct deep dive investigations on the endpoint and analyze and combine this data with log and network information gives teams a much more robust view of their environment. RSA ECAT also has the added advantage of instantly identifying all other machines that were infected to know how far the threat spread. This way SOCs can not only detect the attack and understand what the attacker attempted to do, but also see where they are still vulnerable.
At RSA we’re obsessed with providing the broadest visibility possible from logs to packets to NetFlow to endpoints. Utilizing a risk-based approach to data collection SOCs can choose the right data for the right use cases giving them not just visibility…but the right kind of visibility.
What types of data sources do you rely on? Where could you use more visibility?