Live: Security Analytics Feedback and Data Sharing

Document created by RSA Information Design and Development on Apr 1, 2016Last modified by RSA Information Design and Development on Dec 19, 2016
Version 4Show Document
  • View in full screen mode
  

This topic introduces the Feedback and Data Sharing features of Security Analytics.

The settings for these features are available in Administration > System > Live Services view, in the Additional Live Services section.

Additional Live Services

Participation in the Additional Live Services is configured in the Administration > System > Live Services view.

Live Feedback

Live Feedback is intended to help improve RSA Security Analytics.

Once you set up and configure a Live account, usage data is shared with RSA. The data is protected in accordance with the applicable license agreement. Customer usage data, including usage metrics and current version of Security Analytics hosts, is automatically shared with RSA upon the system’s connection to the Internet.

Before data is sent to RSA, all Personally Identifiable Information is removed. Thus, only anonymous usage data gets transferred to RSA.

Live Connect Threat Data Sharing (Beta)

RSA Live Threat Data Sharing is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. Any type of meta data can be collected depending on deployment, configuration, network activity, and analyst interaction with Security Analytics.

The default setting for this service is on. To change the setting, navigate to the Administration > System > Live Services view (or contact Customer Care to opt out).

Meta data is captured locally by Security Analytics which is then sent securely and anonymously to the RSA Live cloud service. The RSA Live cloud service stores this information along with other data collected across the entire RSA Security Analytics community in order to improve RSA Live threat intelligence services.

Note: All data collected locally is de-identified and obfuscated and then sent securely and anonymously to the RSA Live Connect cloud service, where it is stored in a secure environment.

Description

Live Connect Threat Data Sharing has been developed as a Community based threat intelligence sharing platform.

It has the following characteristics and goals:

  • Crowd-sourced: the RSA community contributes to the entire collection of intelligence
  • Centrally collect and analyze data from the RSA community
  • Reduce the intelligence cycle time from days to minutes

Some details to consider:

  • We are leveraging analyst investigation activity
  • We are harvesting meta data such as IP addresses and domain names
  • We are doing deep data analysis: Trending, correlation, anomaly detection
  • Remember, this feature is currently in Beta

Participation

Customer participation is optional. Upon initial install or upgrade to Security Analytics 10.6, you are presented with a confirmation screen. By default, you are entered into the program, but you can opt out at any time.

Cloud Authentication

Authentication for the program is done in the Security Analytics UI, where you configure the Live account in the Live services section.

Configuration

To view or change the settings for Live Connect Threat Data Sharing, in the Security Analytics menu, select Administration > System > Live Services. Check or clear the Enable box to participate or stop participating in the program.

Data Collection

Data is collected as follows:

  • Data Attribution: Anonymous
  • Data Source: Subset of meta keys and meta values of a Security Analytics analyst's page views from the Security Analytics Core Query logs.
  • Query Log Harvesting Process:

    • Timing: Batch mode every 24 hours (4 AM – 6 AM UTC)
    • Log Collection: Security Analytics server collects SA core device log entries for the previous 24 hours
    • Log Entries: Only SDK-Value and SDK-Query API calls that contain a where clause are collected
    • Log Attribute Parsing: Each entry must have one of the following meta key indicators present: ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, or domain.src. If so, meta keys and meta values from the entry will be collected.

    Note: Once the above criteria is met, Security Analytics sends all of the meta keys and values from the query to the cloud—not just the meta key indicators.

The log report is sent in JSON format, over SSL. It contains:

  • Timestamps
  • Live CMS username (sha256)
  • Security Analytics license server ID (sha256)
  • List of SA endpoint IDs (sha256)
  • Harvested meta values (MD5 and SHA256 hashed)

Example

This section lists entries from a log, and then the corresponding section of extrapolated data.

Section from a log file:

User admin (session 204298, 10.4.50.60:57454) has issued values (channel 205237) (thread 2332): fieldName=filter id1=1 id2=23138902 threshold=100000 size=20 flags=sessions,sort-total,order-descending,ignore-cache where="(alias.host = 'mail.google.com') && (ip.src = 161.253.31.130) && time=\"2015-12-07 18:08:00\"-\"2015-12-07 21:07:59\"“

Data extrapolation with hashing:

Troubleshooting

This section discusses a bit about troubleshooting Live Connect Threat Data Sharing.

Query Log Retrieval Sample

To retrieve a sample of threat intelligence data sent to Live Connect, you construct a URL by setting the following parameters:

  • sendReport: value is true or false: true to send this report to the Live Connect server. False to just create the report for viewing. The value defaults to false.
  • hashValues: value is true or false: true to hash the values as md5/sha256. False to show values in clear text – should use only for manual viewing. Defaults to false.
  • startDate / endDate: Dates for time boundaries for log entries. Format: YYYY-MM-DD HH:mm:ss

The following is an example of the URL to use to retrieve query logs:

https://<server>/admin/liveconnect/force_aggregation?startDate=2016-01-18%2000:00:00&endDate=2016-01-19%2010:10:00&sendReport=false&hashValues=true

System Logging: Debug

You can access some debug information as follows.

  1. In the Security Analytics menu, select Administration > System > System Logging.
  2. Select the Settings tab.
  3. In the Package Configuration section, select com > netwitness > platform > server > liveconnect > service (DEBUG).

You are here
Table of Contents > References > Security Analytics Feedback and Data Sharing

Attachments

    Outcomes