Hi,
I am going through RSA NetWitness Security Analytics a huge amount of Data Leak matches, but each of them so far are false positive.
For example, how can I filter for "cc.number exists and match traffic flow is outbound?"
Or for customer matches as well.
Thanks
Hi John,
thanks for the answer. However, my understanding, is that this traffic direction, is matching traffic initiated from inbound to external, and doesn't necessarily is for the matching patterns.
Here's what I want to avoid :
1 - HTTP GET request sent from inside the organization to any external web site. External web site responds with content that triggers DLP rules or match filters.
The traffic will be marked as OUTBOUND, private.src and external.dst will match
Regards,
So are you looking someone "sending" files to a site? you could try action='put' in the rule, but the issue is, since we sessionize the traffic, it's not parsed packet by packet like and IDS. So you can have multiple actions in s session, so that will probably not work. It might get you closer, with less false positives, but may not.
Are you decrypting SSL? If not, none of this will really help, since the majority of exfiltration is done to SSL enabled sites (google docs, dropbox, icloud drive, or any myriad of online storage sites, that will not give you the data you are looking for, unless you are decrypting your outbound traffic.
Do you have the "Traffic_Flow" parser and the "Traffic_Flow_Options" file deployed to your decoders from RSA Live?
Once deployed:
<key description="Network Name" level="IndexValues" name="netname" format="Text" valueMax="10000"/>
<key description="Traffic Flow Direction" level="IndexValues" name="direction" format="Text" valueMax="10000"/>
In the "Network Name"(netname) key, you will see values like "private.src" & "private.dst", whatever names you put on the networks will show up with .src and .dst entries. any networks NOT defined will show up as "external..src" & "external.dst"
In the "Traffic Flow Direction"(direction) key, you will get three entries, "inbound", "outbound" & lateral"
Inbound = Unknown Source Network to Known Destination Network
Outbound = Known Source Network to Unknown Destination Network
Lateral - Known Source Network to Known Destination Network
For partners nets, if you name them "partner", then you could add application rules for those directions:
internal-partner netname='internal.src' && netname='partner.dst' alert=direction
partner-internal netname='partner.src' && netname='internal.dst' alert=direction
The partner nets would show up in the direction key as both "lateral" & 'internal-partner' or 'partner-internal'
Now you can use the direction key for tuning your rules and alerts
Hope this helps