Warehouse Analytics: Overview

Document created by RSA Information Design and Development on Jun 22, 2017
Version 1Show Document
  • View in full screen mode
  

This topic describes how Data Analysts can analyze and identify the indicator of compromise (IOC), leveraging the RSA Analytics Warehouse data. You can analyze session and log data in your Warehouse using data science techniques. As Cyber Threat Intel analysts, you can view reports of early indicators of compromise. The following Warehouse Analytics models are supported for packet data:

  • Suspicious Domains
  • Suspicious DNS Activity 
  • Host Profile 

Extract, Transform, and Load (ETL) Jobs

The ETL job runs a backend process on the Warehouse and pre-processes the data, which the models can use. The ETL job runs automatically every day at the prescribed time on the packet data. In this version, the module handles the packets data. The output of the ETL job is used as the input to the Suspicious Domains, Suspicious DNS Activity and Host Profile models. You must import the latest jobs for all the models from Live.

When the ETL job runs for the first time, the job processes data from the past 14 days (in UTC time zone) and subsequently processes data from the previous day (in UTC time zone). If you want to run the ETL jobs for any other date range, you can use the 'Test job' option.

Note: You cannot use ETL jobs to generate any viewable reports. If the ETL job fails for the first time, you can use the 'Test Job' to re-process the data for that time range.

Suspicious Domains 

The Suspicious Domains model identifies malicious or suspicious domains based on its communication behavior. It uses a data-driven, automatic approach that is reactive and designed to identify the risky activity that is likely to be missed by other, signature-based solutions. This model generates profiles that describe the behaviors of the domains and applies a probabilistic-based risk assessment method on these profiles to reveal the most suspicious domains. Using these scores, you can find the domains that are most likely to be used for malicious activity within your network.

You can view a report with the following information:

  • List of high risk destination domains and a ranking for all observed domains based on level of anomaly
  • A comprehensive report explaining why each domain is high risk
  • Risk scoring for each domain
  • Unified risk score of the domain relative to all domains and based on multi-dimensional analysis of features about the connection.

Based on this information you can further investigate, block and recommend changes to the security policies to prevent future occurrences of such connections. You can also generate your own local domain blacklists and use it in incident investigation or to define a new security policy that prevents your assets from connecting to similar malicious domains in the future. 

Suspicious DNS Activity

The Suspicious DNS Activity model can identify malicious domains based on a particular DNS communication pattern, common to botnets. This module uses an automatic method to identify the domains exhibiting a hosting pattern, in which the IP address of the malicious domains is constantly changing. This pattern is found in botnets, load-balanced hosts and content distribution networks (CDNs), and this model can differentiate between them and only detect the malicious domains. Once the domain is identified, you can isolate the host making the requests and block the access to the network.

You can view a report with the following information:

  • List of domains showing suspicious fast-flux DNS with an associated risk score.
  • Graph of the associated CDN communication with a score indicating whether the domain is showing the fast-flux pattern or not.

Host Profile

The Host Profile model collects and summarizes all HTTP, HTTPS, and DNS activity for each internal host in the network data. The module allows a fast investigation into the different types of usage patterns by the host and enables the analyst with answers to the questions that might arise during an investigation that require multiple queries or manual comparisons.

You can view a report with color coded heat maps to identify the risk of beacon traffic by the host. You can also view graphs that provide details on the traffic.

After the report is generated, you can perform the following tasks:

  • Use a blacklist to alert and whitelist to ignore IPs or Domains that are benign.
  • Create actionable security incidents from incoming alerts.

    • Integrate incidents with a third-party help desk system to track the remediation process.
    • Integrate with RSA Archer eGRC for incident management and remediation.
  • Use the Investigation module to identify the root causes.
You are here
Table of Contents > Warehouse Analytics Overview

Attachments

    Outcomes