Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: NWPMM

RSA NetWitness Platform

7 Posts authored by: NWPMM Employee

Hunting Webshells with RSA ECAT

Posted by NWPMM Employee Jan 14, 2016

RSA has been evaluating the impact of the SSL v3 "Poodle Bite" (CVE-2014-3566), Windows Sandworm (CVE-2014-4114), Microsoft .Net (MS14-057) & multiple OpenSSL Vulnerabilities (OpenSSL) on RSA Products.


To obtain the latest assessment, please reference Solution ID a68262 by logging on to SecurCare Online at:

Here at RSA we are excited and pleased to announce the highly anticipated, external joint launch of RSA Security Analytics 10.4 & ECAT 4.0.  No other tool on the market today gives you the capability and power to "Be The Hunter". 

With this latest release of Security Analytics and ECAT, three words define our mission:  Visibility. Analysis. Action.  We are providing SOC teams broader visibility, enabling the team to focus on the most important incidents. We’re also enabling rapid analysis and faster investigations of incidents leveraging data from Network Packets, Endpoints, Logs and Netflow all in one platform.  That way, they get to understand the true nature, scope, and impact of an incident to take targeted action.

RSA Security Analytics 10.4 overview:

  • Expanded Collection Options
    • Netflow support
    • CEF support
    • Support for 250+ Log Sources
  • Enhanced Network Investigations
    • Accelerated UI performance
    • Streamlined analyst workflow and more!
  • Tighter Integrations with RSA ECAT
    • Providing extended visibility down to the endpoint
    • Correlate network data, logs, and endpoint data
    • Pivot from Security Analytics Investigation directly into ECAT for deeper endpoint investigations
  • SIEM and Beyond Analytics
    • Centralized rule management
    • Alert Enrichment Options & Enhanced Alerting Capabilities
    • Data Science Driven Advanced Analytics leveraging the Pivotal HD Data Warehouse
  • Native Incident Triage/Management
    • Single console for managing queues and investigating issues
    • Centralized view into incidents across SA enabling analysts to rapidly identify, triage, investigate and respond to security events
    • Combined view of alerts from logs, packets, malware, ECAT
    • Integration with SecOps and ticketing systems
  • Platform Enhancements


RSA ECAT 4.0 Overview:

  • Scalability & Manageability Improvements
    • 50K hosts per server (2.5x increase)
    • Unified view in Console UI
  • Completely Redesigned UI
  • Enhanced Detection Capabilities & Real-time Alerting
    • Alert on suspicious behavior in real-time
    • Early warning of potentially malicious activity
    • Send to Security Analytics or other SIEM solutions
  • Mac OS X Support
  • RSA Live Support
  • Tighter Integrations with RSA Security Analytics
    • More ECAT metadata fed into Incident Management and SA Investigation


Check out the Virtual Event here: RSA Security Analytics 10.4 and RSA ECAT 4.0 Virtual Launch Event.  Tell us what you think!

We are pleased to announce the release of our August Content pack in RSA Live for Security Analytics! This release continues last month’s focus on illuminating instances of sensitive data leakage and offers content designed to profile host and user activity. We’ll also be introducing our first batch of correlation rules connecting the dots between what SA is seeing “on the wire” and ECAT’s host-based alerts. Last but not least, this release expands our ability to provide our customers with the tools to detect potential identity theft and abuse.

Detection of Data Exfiltration

  • Introducing new Application rules, ESA rules, and Reports for detecting large outbound connections to cloud services, 3rd party mailers, and common posting sites. Also included is detection content to help customers identify instances of internal data harvesting and subsequent posting to cloud drive services.

ECAT & Security Analytics

  • ECAT does an excellent job of detecting advanced threats affecting a host. To further complement its detection ability is a set of ESA rules that will look at both ECAT alerts and a protected host’s activity on the network. This builds a foundation for providing an unparalleled level of insight into the stealthiest of advanced threats. New are four ESA rules for correlating ECAT alerts with:


    • Core Botnet alerting
    • Beaconing activity
    • Audit log clearing
    • Suspicious encrypted traffic



  • As Identity theft, fraud, and abuse further escalates to the top of our customers concerns, new content is being developed to help detect unauthorized, abusive, or fraudulent user activity occurring on their networks. Identity content includes:


  • 2 ESA rules for detecting unusual administrative activity and suspicious account removal
  • 3 Reports for summarizing user account activity, privileged account activity, and all activity associated with a particular user list


Additional Log Support

  •   Support for Cisco Meraki and Safenet HSM platforms as well as updated support for 2 new and 28 updates

We are pleased to announce the release of our July Content pack for RSA Live! This release continues last month’s focus on providing “at-a-glance” situational awareness.  It also expands on our ability to detect both sensitive data leaving the network and potentially dangerous executable payload.

Reporting capabilities are introduced focusing on enabling our customers to detect suspicious mail traffic patterns commonly associated with Phishing attempts. And lastly we have a released a new parser designed to identify common HTML-based threat indicators. 

The above is a subset of the threat detection content were are quietly building behind the scenes to accompany our upcoming 10.4 release of Security Analytics and helps set the stage for providing the most advanced threat detection capability on the market today.

Detection of Data Exfiltration

  • New application rules for detecting sensitive data leaving the network via unknown protocols as well as common protocols not normally associated with files transfers.

  Expanded Reporting

  • Introduction of the Phishing Profile report. This report summarizes data relevant to identifying phishing attempts in the customer environment. In particular it summarizes HREF header mismatches, mail traffic from top countries by frequency, top email subjects, top email addresses by frequency, and top file extension of attachments by frequency.
  • Enhancing situational awareness are new two reports:
    • Top Communicants Report:  allows the customer to immediately see the top talkers on their network by country, domain, inbound protocol and outbound protocol.
    • Executables Report: presents instances of all executables detected on wire. This report is broken into four sections: Executables by Domain, Country, Abnormal executables - Suspicious and Abnormal executables -Warning.

  Enhanced Threat Detection

  • A new LUA parser called “HTML_threat”. This parser is designed to detect common HTML threat indicators like hidden frames and embedded objects within a web page.  

Additional Log Support

  • We’ve created support for two new log sources as well as provided updates to 30 of our existing log sources.


Recently Bit9 announced that its internal systems had been compromised and, as a result, malware had been signed using Bit9’s own digital code-signing certificates:


Does this affect RSA NetWitness Spectrum?

Bit9 has given RSA assurance that we are not one of the customers affected by the security incident. They have also stated that the specific product RSA uses from Bit9 (GSR or Global Software Registry) was not affected by this compromise, directly or indirectly.  More specifically, RSA NetWitness Spectrum’s only interaction with Bit9 is to post MD5 hashes of the files we are analyzing and to parse the result to determine the file’s threat level. 


In summary, there is no remediation required on behalf of a RSA NetWitness Spectrum customer given the recent Bit9 security incident.

RSA Security Analytics is a game changer - why?  RSA Security Analytics at a high level defines a new security product category. It's the new name of our platform that's powered by NetWitness and combines network security monitoring, SIEM, and Big Data Management & Analytics. 


But first, we're excited to introduce the new Security Analytics interface.  It's awesome with a fresh look and feel.  The new GUI unifies all your analytics within a single interface.  Your investigative and analytical workflows will all be integrated by this platform independent, browser-based GUI. 


This new GUI will first launch as a beta with three analytic modules:  Investigation, Live and Administration.


Check out this sneak peek below:


1. The Unified Dashboard - has customizable dashlets that allow for quick investigative actions.  The Quick Tasks provide immediate access to popular features with a single click.  HTML 5 provides quick response to user input.  It's clean and simple.



2.  The Investigation module - we've put proven analytics functionality (Investigator) into an O/S independent browser.  So now, you have seamless integration between analysis views and Live context.  In addition, we introduce a new feature called Meta Groups where you can easily separate and organize investigative focus by use case.


3.  The Live module - centralizes threat intelligence and content acquisition so you can continue to centrally manage your distribution of content. 



4.  The Administration module - manage your environment by grouping devices for administration or data access.  Upgrade multiple devices at the same time.  New drag and drop capability for adding metrics and timeline charts into historical statistical information.


This is just a summary and we look forward to you navigating Security Analytics yourself and providing feedback!  

Filter Blog

By date: By tag: