Live: Security Analytics Feedback and Data Sharing

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

This topic introduces the Feedback and Data Sharing features of Security Analytics.

The settings for these features are available in Administration > System > Live Services view, in the Additional Live Services section.

Additional Live Services

Participation in the Additional Live Services is configured in the Administration > System > Live Services view.

Live Feedback

Live Feedback is intended to help improve RSA Security Analytics.

Once you set up and configure a Live account, usage data is shared with RSA. The data is protected in accordance with the applicable license agreement. Customer usage data, including usage metrics and current version of Security Analytics hosts, is automatically shared with RSA upon the system’s connection to the Internet.

Before data is sent to RSA, all Personally Identifiable Information is removed. Thus, only anonymous usage data gets transferred to RSA.

For more information, see the Live Feedback Overview topic in the System Configuration Guide.

RSA Live Connect (Beta)

RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA Security Analytics and RSA ECATcustomer community. RSA Live Connect consists of the following features:

  • Threat Insights
  • Analyst Behaviors

Threat Insights

Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.

By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see the Configure Live Connect Data Source for Context Hub topic in the Context Hub Configuration Guide.

With Live Connect as a data source for context hub, you can use the Context Lookup option in Investigation > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see View Additional Context for a Data Point.

Analyst Behaviors

Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by Security Analytics such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src.

Note: All data collected locally is de-identified and obfuscated and then sent securely and anonymously to the RSA Live Connect cloud service, where it is stored in a secure environment.

Description

Live Connect Threat Data Sharing has been developed as a Community based threat intelligence sharing platform.

It has the following characteristics and goals:

  • Crowd-sourced: the RSA community contributes to the entire collection of intelligence
  • Centrally collect and analyze data from the RSA community
  • Reduce the intelligence cycle time from days to minutes

Some details to consider:

  • We are leveraging analyst investigation activity
  • We are harvesting meta data such as IP addresses and domain names
  • We are doing deep data analysis: Trending, correlation, anomaly detection
  • Remember, this feature is currently in Beta

Participation

Customer participation is optional. Upon initial install or upgrade to Security Analytics 10.6, you are presented with a confirmation screen. By default, you are entered into the program, but you can opt out at any time.

Cloud Authentication

Authentication for the program is done in the Security Analytics UI, where you configure the Live account in the Live services section.

Configuration

To view or change the settings for Live Connect Threat Data Sharing, in the Security Analytics menu, select Administration > System > Live Services. Check or clear the Enable box to participate or stop participating in the program.

Data Collection

Data is collected as follows:

  • Data Attribution: Anonymous
  • Data Source: Subset of meta keys and meta values of a Security Analytics analyst's page views from the Security Analytics Core Query logs.
  • Query Log Harvesting Process:

    • Timing: Batch mode every 24 hours (4 AM – 6 AM UTC)
    • Log Collection: Security Analytics server collects SA core device log entries for the previous 24 hours
    • Log Entries: Only SDK-Value and SDK-Query API calls that contain a where clause are collected
    • Log Attribute Parsing: Each entry must have one of the following meta key indicators present: ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, or domain.src. If so, meta keys and meta values from the entry will be collected.

    Note: Once the above criteria is met, Security Analytics sends all of the meta keys and values from the query to the cloud—not just the meta key indicators.

The log report is sent in JSON format, over SSL. It contains:

  • Timestamps
  • Live CMS username (sha256)
  • Security Analytics license server ID (sha256)
  • List of SA endpoint IDs (sha256)
  • Harvested meta values (MD5 and SHA256 hashed)

Example

This section lists entries from a log, and then the corresponding section of extrapolated data.

Section from a log file:

User admin (session 204298, 10.4.50.60:57454) has issued values (channel 205237) (thread 2332): fieldName=filter id1=1 id2=23138902 threshold=100000 size=20 flags=sessions,sort-total,order-descending,ignore-cache where="(alias.host = 'mail.google.com') && (ip.src = 161.253.31.130) && time=\"2015-12-07 18:08:00\"-\"2015-12-07 21:07:59\"“

Data extrapolation with hashing:

Troubleshooting

This section discusses a bit about troubleshooting Live Connect Threat Data Sharing.

Query Log Retrieval Sample

To retrieve a sample of threat intelligence data sent to Live Connect, you construct a URL by setting the following parameters:

  • sendReport: value is true or false: true to send this report to the Live Connect server. False to just create the report for viewing. The value defaults to false.
  • hashValues: value is true or false: true to hash the values as md5/sha256. False to show values in clear text – should use only for manual viewing. Defaults to false.
  • startDate / endDate: Dates for time boundaries for log entries. Format: YYYY-MM-DD HH:mm:ss

The following is an example of the URL to use to retrieve query logs:

https://<server>/admin/liveconnect/force_aggregation?startDate=2016-01-18%2000:00:00&endDate=2016-01-19%2010:10:00&sendReport=false&hashValues=true

System Logging: Debug

You can access some debug information as follows.

  1. In the Security Analytics menu, select Administration > System > System Logging.
  2. Select the Settings tab.
  3. In the Package Configuration section, select com > netwitness > platform > server > liveconnect > service (DEBUG).

You are here
Table of Contents > References > Security Analytics Feedback and Data Sharing

Attachments

    Outcomes