Mark Karlstrand

Detecting Malicious Domains With Behavior Analytics

Blog Post created by Mark Karlstrand Employee on Apr 8, 2016

What if you could find hosts in your network that are actively communicating with previously unknown malicious domains? Using the new behavior analytics module introduced in Security Analytics (SA) 10.6 you can. This new threat detection module is actually the first of many behavior analytics modules RSA will be delivering within SA. This new capability powerfully leverages the industry leading network, log and endpoint data collection SA is known for. Our goal is to dramatically expand the value SA delivers by automating common hunting activities and detecting threats that would be very difficult and time consuming to find manually.


With this release RSA has developed a brand new threat detection analytics solution hosted within the Event Stream Analysis (ESA) component. This new capability consumes network meta data and identifies behaviors indicative of command and control communications. This new detection service delivers prioritized alerts for analysts to investigate so they may find infected hosts much more quickly.


Customers that have SA network packet capture and the ESA component deployed can upgrade to 10.6 and follow a short list of steps to enable this new detection module. Once enabled, the module will automatically “warm up” for 24 hrs then start generating prioritized alerts. These alerts are enriched with context including domain registration information and details of the behaviors that were determined to be suspect. As analysts triage and investigate alerts the solution uses their feedback to further train the detection module, improving future accuracy.


We encourage you to upgrade to SA 10.6 and start utilizing this new capability to help defend your organization. If you are interested in seeing a short video of this feature in action click here.


Documentation on this capability may be found here.