SA: Introduction to Security Analytics

Document created by RSA Information Design and Development on Nov 21, 2016Last modified by RSA Information Design and Development on Nov 28, 2016
Version 2Show Document
  • View in full screen mode
  

RSA Security Analytics is a distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. Security Analytics allows administrators to collect two types of data from the network infrastructure, packet data and log data. The key aspects of the architecture are:

  • Distributed Data Collection. The packet data is collected using a host called Decoder, while the Log Decoder collects log events. The Decoder captures, parses, and reconstructs all network traffic from Layers 2 - 7, or log and event data from hundreds of devices and event sources and event sources. The Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting. The Broker aggregates data captured by other devices and event sources. Brokers aggregate data from configured Concentrators; Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder/Concentrator pairs throughout the infrastructure.
  • Real-time Analytics. The Security Analytics Event Stream Analysis (ESA) host provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators. ESA uses an advanced Event Processing Language that allows analysts to express filtering, aggregation, joins, pattern recognition and correlation across multiple disparate event streams. Event Stream Analysis helps to perform powerful incident detection and alerting.

    RSA Analytics Warehouse. A Hadoop-based distributed computing system, which collects, manages, and enables analytics and reporting on longer-term sets of security data, for example, months or years. The Warehouse can be made up of three or more nodes depending on the organization's analytic, archiving, and resiliency requirements.

    Security Analytics Server. Hosts Reporting, Investigation, Administration, and other aspects of the user interface. Also enables reporting on data held in the Warehouse.

  • Capacity. Security Analytics has a modular-capacity architecture enabled with direct-attached capacity (DACs) or storage area networks (SANs), that adapts to the organization's short-term investigation and longer-term analytic and data-retention needs.

Security Analytics provides large deployment flexibility. You can design its architecture using as many as multiple dozens of physical hosts or a single physical host, based on the particulars of the customer's performance and security-related requirements. In addition, the entire Security Analytics system has been optimized to run on virtualized infrastructure. The following image illustrates the Security Analytics Functional architecture: 

104MarkDiagram.png

The System Architecture comprises these major components: Decoders, Brokers and Concentrators, Archivers, ESA, Warehouse Connectors, RSA Warehouse. Security Analytics components can be used together as a system or can be used individually.

  • In a security information and event management (SIEM) implementation, the base configuration requires these components: Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), and the Security Analytics Server.
  • In a forensics implementation, the base configuration requires these components: Decoder, Concentrator, Broker, ESA, and Malware Analysis. An optional component is the Incident Management service, which resides on the ESA system and is used to prioritize alerts.

The table provides a synopsis of each major component:

                                                  
System ComponentDescription
Decoder / Log Decoder
  • Security Analytics collects two types of data: packet data and log data. 
  • Packet data, that is, network packets, are collected using the  Decoder through the network tap or span port, which is typically determined to be an egress point on an organization's network. 
  • A Log Decoder can collect four different log types - Syslog, ODBC, Windows eventing, and flat files.
  • Windows eventing refers to the Windows 2008 collection methodology and flat files can be obtained via SFTP. 
  • Both types of Decoders ingest raw transactional data that is enriched, closed out, and aggregated to the warehouse or other Security Analytics components.
  • The process for ingesting and parsing transactional data is a dynamic and open framework.
Concentrator / Broker
  • Any data that can be indexed on the Decoder is filtered by the respective Concentrator. 
  • Once data is stored in the Concentrator, it is streamed as metadata to the RSA Analytics Warehouse.
Archivers
  • The Archiver is a host that enables long-term log archiving by indexing and compressing log data and sending it to archiving storage.  
  • The archiving storage is optimized for long-term data retention, and compliance reporting.  
  • Archiver stores raw logs and log meta data from Log Decoders for long term-retention, and it uses Direct-Attached Capacity (DAC) for storage.

    Note: Raw packets and packet meta data are not stored in the Archiver.

Event Stream Analysis (ESA)
  • This ESA host provides event stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators.
  • ESA uses advanced Event Processing Language that allows users to express filtering, aggregation, joins, pattern recognition, and correlation across multiple disparate event streams. 
  • ESA helps to perform powerful incident detection and alerting.
Warehouse Connectors
  • Warehouse Connector allows you to collect meta data and events from Decoders and write them in Avro format into a Hadoop-based distributed computing system.
  • You can set up Warehouse Connector as a service on existing Log Decoders or Decoders or it can be run as a virtual host in your virtual environment. 
  • The Warehouse Connector contains the following components: Data Source, Destination, and Data Stream. 
RSA Analytics Warehouse
  • RSA Analytics Warehouse provides the capacity for longer term data archiving through a Hadoop-based distributed computing system that collects, manages, and enables analytics and reporting on security data.
  • RSA Analytics Warehouse requires a service called Warehouse Connector to collect meta data and events from Decoder and Log Decoder and write them in Avro format into a Hadoop-based distributed computing system.
  • Any incoming data at the Log Decoder and Concentrator is ultimately forwarded to the Warehouse. 
  • A Warehouse typically consists of two units: Storage nodes and Direct Attached Capacity (DAC). 
  • Entire data (not just meta data) is stored in the RSA Analytics Warehouse and is available to Security Analytics when required.

Core Versus Downstream Components

In Security Analytics, the Core services ingest and parse data, generate meta data, and aggregate generated meta data with the raw data. In the figure below, the Core services are highlighted in blue; they are Decoder, Log Decoder, Concentrator, and Broker. Downstream systems use data stored on Core services for analytics, therefore, the operations of downstream services are dependent on Security Analytics Core services. The downstream systems are highlighted in red; they are Archiver, Warehouse, ESA, Malware Analysis, Investigation, and Reporting. 

Although the Security Analytics Core services can operate and provide a good analytics solution without the downstream systems, the downstream components provide additional analytics. ESA provides real-time correlation across sessions and events as well as between different types of events, such as log and packet data. Investigation provides the ability to drill into data, examine events and files, and reconstruct events in a safe environment. The Malware Analysis service provides real-time, automated inspection for malicious activity in network sessions and associated files.

CoreandDownStreamSystems.png

Security Analytics User Interface

At a very high level, Security Analytics performs two functions:

  • Provides a graphical browser-based user interface to administer the Security Analytics architecture, setup configurations and permissions for services.
  • Acquires the data from the Warehouse, Decoders and Concentrators, performs analysis, and runs alerts and reports. 
  • All Security Analytics modules share a common approach to presenting data and configuration options using a series of dashboards, views, grids, and dialogs. This helps users to navigate in a seamless and easily understandable way. Once familiar with the user interface, users can further improve their productivity by creating custom dashboards for specific purposes. For example, a set of custom dashboards can present information for different regions or different types of threats.

Security Analytics Modules

Security Analytics organizes administrative, analytical, and reporting tasks into modules representing logical groupings of functions and tasks for services:

  • The dashboard is the entry point for all Security Analytics modules, providing a portal into functions of other modules for user convenience.
  • The Administration module is the user interface for administering and monitoring hosts, devices and event sources, and services. When configured, hosts, devices and event sources, and services are available to other Security Analytics modules.
  • The Investigation module is the user interface that allows visualization of packets captured by Security Analytics hosts. Malware Analysis is the user interface for automated malware analysis.
  • The Live module is the user interface to access and manage resources available to customers through the Live Content Management System.
  • The Reports and Alerts modules provide the user interface for automated reporting and alerting functions.
  • The Incidents module provides the Incident Management function in Security Analytics. The incident management function is an easy way to track the incident response process and provides the following capabilities:

    • Track the Incident Response in a consistent way.
    • Automate the process of creating actionable security incidents from incoming alerts.
    • Provide business context and investigational tools to help the team discover the root causes.
    • Track the remediation process in an automated way by integrating with a third party help desk system.
    • Track the Incident Response in a consistent way.
    • Automate the process of creating actionable security incidents from incoming alerts.
    • Provide business context and investigational tools to help the team discover the root causes.
    • Track the remediation process in an automated way by integrating with a third party help desk system.
You are here
Table of Contents > Introduction to Security Analytics

Attachments

    Outcomes