Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Michael Wilson

Recently, RSA completed and certified a new threat intelligence partnership with Symantec as part of our RSA Ready program.  This partnership provides the opportunity to leverage Symantec DeepSight Intelligence with the RSA NetWitness Suite platform.  

 

This new certified partner can be utilized by the RSA NetWitness Suite to offer security analysts real-time context about an investigation so they can more quickly detect and respond to an incident.

 

For a detailed description about how to integrate Symantec DeepSight Intelligence into the RSA NetWitness Suite refer to the online integration documentation found here.

 

Also, for additional details and resources, please refer to the RSA Ready Partner Program

Help us understand some of the specifics of your organizations use and/or needs from RSA threat intelligence within the NetWitness Suite.  Click here to take the quick survey.

Help us have some basic understanding of your organization's use of threat intelligence .  Click here to take the short survey.

Recently, RSA announced three new certified threat intelligence partners with the NetWitness suite through the RSA Ready Partner Program.

 

These new certified partners can be utilized by the RSA NetWitness Suite to offer security analysts real-time context about an investigation so they can more quickly detect and respond to an incident.

 

As part of that announcement, we have added additional Threat Intelligence Platform (TIP) and Threat Intelligence Content (TIC) partners.  Those partners include following (click on the respective links to go to each RSA Ready Implementation Guide):

 

 

For additional details about the announcement, you can also refer to the original press release here.

With the release of Security Analytics 10.6.1, we are more formally introducing the new RSA Live Connect community based threat intelligence sharing service.  This service is a cloud based threat intelligence service that gathers, correlates, analyzes, and process threat intelligence across the RSA Security Analytics community.  During this initial release of RSA Live Connect, the "Analyst Behaviors" service option provides an opportunity to voluntarily contribute threat intelligence information anonymously and securely to the Live Connect cloud service.  This threat investigation information will be used by RSA to improve the RSA Live threat intelligence services.   

 

 

Enabling the RSA Live Connect service in Security Analytics:

 

As mentioned, participation in the RSA Live Connect service is completely voluntary.  Upon initial install or upgrade of Security Analytics 10.6.1, an application administrator will proactively be presented with a popup window with detailed information about the service and the opportunity to confirm acceptance into the service or opt out through the Live Services configuration interface.  Also, authentication to Live Connect is down with existing RSA Live credentials.  If you don't have an RSA Live account, details for enrolling and configuring can be found at RSA Security Analytics Live account.  

 

Service popup:

 

 

 

Authentication via RSA Live Credentials:

 

 

 

 

Live Services Configuration:

 

 

 

The Live Connect service is being introduced as an open beta for all RSA Security Analytics customers with internet access and an RSA Live credential.  Participation in the beta is anonymous and optional.  For more detailed information about configuration and service details, see the RSA Security Analytics Live Connect documentation.

 

NOTE:  The RSA Live Connect service also provides a 'Threat Insights' option that is independent of the 'Analyst Behaviors' option.  Details for this option can be found in the blog post 'Leveraging RSA's New Live Connect Community Based Threat Intelligence Service'.  In addition, for a more detailed description see the RSA Security Analytics Live Connect documentation.

Ever feel like an analyst alone on an island attempting to hunt down the latest attack or risk in your network?  Or, when trying to investigate an incident or potential attack, do you ever find yourself digging through mountains of data and information while still not feeling like you have enough context or perspective on the data to make informed decisions?

 

With the release of Security Analytics 10.6.1, we are more formally introducing the new RSA Live Connect community based threat intelligence sharing service.  This service is a cloud based threat intelligence service that gathers, correlates, analyzes, and process threat intelligence across the RSA Security Analytics community.  In turn, this intelligence can be leveraged by SA customers during the threat investigation workflow.  During this initial release RSA Live Connect, the "Threat Insights" service option will provide a threat intelligence risk assessment, anonymous community statistics, and an opportunity to 'give back' to the community by providing risk assessment feedback for a given IP address that Live Connect is tracking.

 

 

 

Enabling the RSA Live Connect service in Security Analytics:

 

Participation in the RSA Live Connect service is completely voluntary.  Upon initial install or upgrade of Security Analytics 10.6.1, an application administrator will proactively be presented with a popup window with detailed information about the service and the opportunity to confirm acceptance into the service or opt out through the Live Services configuration interface.  Also, authentication to Live Connect is down with existing RSA Live credentials.  If you don't have an RSA Live account, details for enrolling and configuring can be found at RSA Security Analytics Live account.  

 

Service popup:

 

 

Authentication via RSA Live Credentials:

 

 

 

Live Services Configuration:

 

 

Leveraging the RSA Live Connect service during SA Investigations workflow:

Once you have enabled and configured the Live Connect service, an analyst will have the ability to leverage the Live Connect IP based threat intelligence during the Security Analytics Investigation workflow via the Context Hub.  If there is community based threat intelligence available for a given IP, the IP will be highlighted and a user can right mouse click to the Context Hub with a detailed view of the Live Connect assessment and statistics for the respective IP address.

 

 

In addition, upon completing an investigation on the given IP address, in turn, the analyst can provide feedback to RSA Live Connect to confirm that the IP is seen as 'Safe' or 'Risky'.  Again, this feedback is voluntary and anonymous.  However, feedback by the analysts provides tremendous value and insight to the RSA Live Connect service when assessing the risk level and providing insight to the broader RSA SA community.

 

 

The Live Connect service is being introduced as an open beta for all RSA Security Analytics customers with internet access and an RSA Live credential.  Again, participation in the beta is anonymous and completely optional.  For more detailed information about configuration and service details, see the RSA Security Analytics Live Connect documentation.

 

NOTE:  The RSA Live Connect service also independently provides an 'Analyst Behaviors' option for sharing threat investigation information that is independent of the 'Threat Insights option.   Details for this option can be found in the subsequent blog post 'Giving Back to the Community Through RSA Live Connect's 'Analyst Behaviors'.  In addition, for a more detailed description see the RSA Security Analytics Live Connect documentation.

With the rapid growth in the number threat intelligence providers and services, the need and focus for threat intelligence format standards and protocols became inevitable.  With the emergence of STIX, Structured Threat Information eXpression, threat intelligence providers, application vendors, and users could begin to share and leverage threat intelligence by speaking a common language.  (For additional information about STIX, see Structured Threat Information eXpression). 

 

With the release of Security Analytics 10.6.1, RSA will begin providing some initial basic support for the STIX threat intelligence file format.  Initial support for the STIX format will be focused on threat indicators through STIX 'Observables' and 'Indicators'.  Specifically, a user will be able to import threat indicators such as IP addresses, file hashes, and URLs.  Similar to the existing ability in Security Analytics to import custom CSV based threat intelligence feeds, a user will be able to map the intelligence imported from a STIX feed to the creation of meta data during packet and/or log capture time by the SA decoders.  Once meta data is created, a user can leverage the information during threat detection and/or during the threat investigation workflows.   

 

 

Custom Feed Importing:

As mentioned, importing a STIX feed is similar to importing a Live Custom Feed (See Live Custom Feed Configuration).  After specifying the STIX feed type, a user can choose to do a one-time 'Adhoc' import from disk or a 'Recurring' feed from a specified URL location.

 

 

Specify STIX and 'Adhoc' or 'Recurring'.

 

 

Mapping to Meta Data:

Upon specifying the feed, the user can map the information to metadata.

 

 

Leveraging During Investigation:

 

After importing and/or configuration is complete, SA will begin to create meta during data capture time. Upon metadata creation, users can leverage the STIX based threat intelligence during subsequent investigations.

 

 

 

For additional details about Security Analytics STIX support, see Security Analytics STIX.

Filter Blog

By date: By tag: