Michael Wilson

Leveraging RSA's New Live Connect Community Based Threat Intelligence Service

Blog Post created by Michael Wilson Employee on Aug 19, 2016

Ever feel like an analyst alone on an island attempting to hunt down the latest attack or risk in your network?  Or, when trying to investigate an incident or potential attack, do you ever find yourself digging through mountains of data and information while still not feeling like you have enough context or perspective on the data to make informed decisions?


With the release of Security Analytics 10.6.1, we are more formally introducing the new RSA Live Connect community based threat intelligence sharing service.  This service is a cloud based threat intelligence service that gathers, correlates, analyzes, and process threat intelligence across the RSA Security Analytics community.  In turn, this intelligence can be leveraged by SA customers during the threat investigation workflow.  During this initial release RSA Live Connect, the "Threat Insights" service option will provide a threat intelligence risk assessment, anonymous community statistics, and an opportunity to 'give back' to the community by providing risk assessment feedback for a given IP address that Live Connect is tracking.




Enabling the RSA Live Connect service in Security Analytics:


Participation in the RSA Live Connect service is completely voluntary.  Upon initial install or upgrade of Security Analytics 10.6.1, an application administrator will proactively be presented with a popup window with detailed information about the service and the opportunity to confirm acceptance into the service or opt out through the Live Services configuration interface.  Also, authentication to Live Connect is down with existing RSA Live credentials.  If you don't have an RSA Live account, details for enrolling and configuring can be found at RSA Security Analytics Live account.  


Service popup:



Authentication via RSA Live Credentials:




Live Services Configuration:



Leveraging the RSA Live Connect service during SA Investigations workflow:

Once you have enabled and configured the Live Connect service, an analyst will have the ability to leverage the Live Connect IP based threat intelligence during the Security Analytics Investigation workflow via the Context Hub.  If there is community based threat intelligence available for a given IP, the IP will be highlighted and a user can right mouse click to the Context Hub with a detailed view of the Live Connect assessment and statistics for the respective IP address.



In addition, upon completing an investigation on the given IP address, in turn, the analyst can provide feedback to RSA Live Connect to confirm that the IP is seen as 'Safe' or 'Risky'.  Again, this feedback is voluntary and anonymous.  However, feedback by the analysts provides tremendous value and insight to the RSA Live Connect service when assessing the risk level and providing insight to the broader RSA SA community.



The Live Connect service is being introduced as an open beta for all RSA Security Analytics customers with internet access and an RSA Live credential.  Again, participation in the beta is anonymous and completely optional.  For more detailed information about configuration and service details, see the RSA Security Analytics Live Connect documentation.


NOTE:  The RSA Live Connect service also independently provides an 'Analyst Behaviors' option for sharing threat investigation information that is independent of the 'Threat Insights option.   Details for this option can be found in the subsequent blog post 'Giving Back to the Community Through RSA Live Connect's 'Analyst Behaviors'.  In addition, for a more detailed description see the RSA Security Analytics Live Connect documentation.