Live: Security Analytics Feedback and Data Sharing

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 14Show Document
  • View in full screen mode
 

The Live Feedback Activity Log enables you to download the usage data required for Live Feedback. After you download the Live Feedback data, you can then upload it to share with RSA.

The settings for these features are available in ADMIN > System > Live Services view,

in the Additional Live Services section.

Additional Live Services

Participation in the Additional Live Services is configured in the ADMIN > SYSTEM > Live Services view.

Live Feedback

Live Feedback is intended to help improve RSA NetWitness Platform.

Live Feedback description

Once you set up and configure a Live account, usage data is automatically shared with RSA and is protected in accordance with the applicable license agreement. All such data shall be anonymized and shall not have any Personally Identifiable Information.

Before data is sent to RSA, all Personally Identifiable Information is removed. Thus, only anonymous usage data gets transferred to RSA.

For more information, see the "Live Feedback Overview" topic in the System Configuration Guide.

RSA Live Connect

RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness Platform and RSA NetWitness Endpoint customer community.

RSA Live Connect consists of the following features:

  • Threat Insights
  • Analyst Behaviors

Threat Insights

Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.

By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see the "Configure Live Connect Data Source for Context Hub" topic in the Context Hub Configuration Guide.

With Live Connect as a data source for context hub, you can use the Context Lookup option in INVESTIGATE > Navigate view or INVESTIGATE > Events view to fetch contextual information. For more information, see the "Look Up Additional Context in the Navigate and Events Views" topic in the Investigate User Guide.

Analyst Behaviors

Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by NetWitness Platform such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src.

Note: All data collected locally is de-identified and obfuscated and then sent securely and anonymously to the RSA Live Connect cloud service, where it is stored in a secure environment.

Description

Live Connect Threat Data Sharing has been developed as a Community based threat intelligence sharing platform.

It has the following characteristics and goals:

  • Crowd-sourced: the RSA community contributes to the entire collection of intelligence
  • Centrally collect and analyze data from the RSA community
  • Reduce the intelligence cycle time from days to minutes

Some details to consider:

  • We are leveraging analyst investigation activity
  • We are harvesting meta data such as IP addresses and domain names
  • We are doing deep data analysis: Trending, correlation, anomaly detection
  • Remember, this feature is currently in Beta

File Reputation

File Reputation service provides instant access to the latest signatures via the RSA Live feed so data is more relevant, with fewer false positives. With this service, users always have reliable data about the reputation of files in their NetWitness Endpoint system. In addition to the whitelisting service, it provides blacklisting information as well.

Participation in RSA Live Connect

On install or upgrade to NetWitness Platform 11.x, a confirmation screen is displayed. You are presented with a New Features Enabled dialog box, where you can enable or disable Threat Insights and Analyst Behaviors.

Cloud Authentication

Authentication for the program is done in the NetWitness Platform UI, where you configure the Live account in the Live services section.

Configuration

To view or change the settings for Live Connect Threat Data Sharing, select ADMIN > System > Live Services. Check or clear the Enable box to participate or stop participating in the program.

Data Collection

Data is collected as follows:

  • Data Attribution: Anonymous
  • Data Source: Subset of meta keys and meta values of a NetWitness Platform analyst's page views from the NetWitness Platform Core Query logs.
  • Query Log Harvesting Process:

    • Timing: Batch mode every 24 hours (4 AM – 6 AM UTC)
    • Log Collection: NetWitness Platform server collects NetWitness Platform core device log entries for the previous 24 hours
    • Log Entries: Only SDK-Value and SDK-Query API calls that contain a where clause are collected
    • Log Attribute Parsing: Each entry must have one of the following meta key indicators present: ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, or domain.src. If so, meta keys and meta values from the entry will be collected.

    Note: Once the above criteria is met, NetWitness Platform sends all the meta keys and values from the query to the cloud—not just the meta key indicators.

The log report is sent in JSON format, over SSL. It contains:

  • Timestamps
  • Live CMS username (sha256)
  • NetWitness Platformlicense server ID (sha256)
  • List of SA endpoint IDs (sha256)
  • Harvested meta values (MD5 and SHA256 hashed)

Example

This section lists entries from a log, and then the corresponding section of extrapolated data.

Section from a log file:

User admin (session 204298, 10.4.50.60:57454) has issued values (channel 205237) (thread 2332): fieldName=filter id1=1 id2=23138902 threshold=100000 size=20 flags=sessions,sort-total,order-descending,ignore-cache where="(alias.host = 'mail.google.com') && (ip.src = 161.253.31.130) && time=\"2015-12-07 18:08:00\"-\"2015-12-07 21:07:59\"“

Data extrapolation with hashing:

Next Topic:Troubleshooting
You are here
Table of Contents > References > Netwitness Feedback and Data Sharing

Attachments

    Outcomes