How Warehouse Analytics Works

Document created by RSA Information Design and Development Employee on Sep 11, 2017Last modified by RSA Information Design and Development Employee on Apr 2, 2018
Version 6Show Document
  • View in full screen mode

Note: Warehouse Analytics is not supported in Netwitness Suite 11.0 or later.

Data Analysts can use Warehouse Analytics models to analyze and identify the indicators of compromise (IOC), leveraging the RSA Warehouse data. They can use Warehouse Analytics techniques on Warehouse data to analyze sessions.

Reports Generated Using Warehouse Analytics Models

Cyber Threat Intel Analysts can view reports of early indicators of compromise for packets using the Warehouse Analytics models. The following Warehouse Analytics models are available on Live and must be imported and defined as Warehouse Analytics jobs before you can generate Reports.

Suspicious Domains 

The Suspicious Domains model identifies malicious or suspicious domains based on its communication behavior. It uses a data-driven, automatic approach that is reactive and designed to identify the risky activity that is likely to be missed by other signature-based solutions. This model generates profiles that describe the behaviors of the domains and applies a probabilistic-based risk assessment method on these profiles to reveal the most suspicious domains. Using these scores, you can find the domains that are most likely to be used for malicious activity within your network.

You can view a report with the following information:

  • List of high risk destination domains and a ranking for all observed domains based on level of anomaly
  • A comprehensive report explaining why each domain is high risk
  • Risk scoring for each domain
  • Unified risk score of the domain relative to all domains and based on multi-dimensional analysis of features about the connection.

Based on this information you can further investigate, block and recommend changes to the security policies to prevent future occurrences of such connections. You can also generate your own local domain blacklists and use it in incident investigation or to define a new security policy that prevents your assets from connecting to similar malicious domains in the future. 

Suspicious DNS Activity

The Suspicious DNS Activity model can identify malicious domains based on a particular DNS communication pattern, common to botnets. This module uses an automatic method to identify the domains exhibiting a hosting pattern, in which the IP address of the malicious domains is constantly changing. This pattern is found in botnets, load-balanced hosts and content distribution networks (CDNs), and this model can differentiate between them and only detect the malicious domains. Once the domain is identified, you can isolate the host making the requests and block the access to the network.

You can view a report with the following information:

  • List of domains showing suspicious fast-flux DNS with an associated risk score.
  • Graph of the associated CDN communication with a score indicating whether the domain is showing the fast-flux pattern or not.

Host Profile

The Host Profile model collects and summarizes all HTTP, HTTPS, and DNS activity for each internal host in the network data. The module allows a fast investigation into the different types of usage patterns by the host. It enables the analyst with answers to the questions that might arise during an investigation that require multiple queries or manual comparisons.

You can view a report with color coded heat maps to identify the risk of beacon traffic by the host. You can also view graphs that provide details on the traffic.

After the report is generated, you can perform the following tasks:

  • Use a blacklist to alert and whitelist to ignore IPs or Domains that are benign.
  • Create actionable security incidents from incoming alerts.

    • Integrate incidents with a third-party help desk system to track the remediation process.
    • Integrate with RSA Archer eGRC for incident management and remediation.
  • Use the Investigation module to identify the root causes.

How Data is Processed from the Warehouse

The Extract, Transform, and Load (ETL) job runs a backend process on the Warehouse and pre-processes the data, which the Warehouse Analytics models can use. The ETL job runs automatically every day at the prescribed time on the packet data. The output of the ETL job is used as the input to the Suspicious Domains, Suspicious DNS Activity and Host Profile models.

When the ETL job runs for the first time, the job processes data from the past 14 days (in UTC time zone) and subsequently processes data from the previous day (in UTC time zone). If you want to run the ETL jobs for any other date range, you can use the Test job option.

Note: You cannot use ETL jobs to generate any viewable reports. If the ETL job fails for the first time, you can use the Test Job to re-process the data for that time range.
In this version, the module handles the packets data.

You are here
Table of Contents > How Warehouse Analytics Works