Overview of RSA NetWitness Logs and Packets

The challenge of Information Systems Security (ISS) can be summarized as follows: ISS professionals must fall right each time, while attackers can settle for just one. The idea behind this summary is that attackers can take their time to survey networks, evaluate security controls in place, and find weaknesses to exploit. At the same time, ISS professionals must continually search for suspicious activity traces, assess vulnerabilities, and prepare to respond quickly to a wide range of attack types. Analytics tools such as the RSA NetWitness suite are designed to reduce the information overhead that hangs over them.

RSA NetWitness Logs and Packets

It is no longer viable today in a large enterprise to expect targeted security checks to be fast enough and effective enough to counter advanced attacks. Security analytics has emerged to address the need to collect and integrate data from multiple sources and then look for patterns of potentially malicious activity.

RSA launched NetWitness Suite during the summer. It builds on the previous vendor offering, RSA Security Analytics, and includes NetWitness Logs and NetWitness Packets, alongside EndPoint and SecOps Manager products, among others.

The NetWitness Logs and Packets platform is designed to provide advanced analytics capabilities, including real-time behavioral analysis and visibility into infrastructure hosts as well as network and cloud resources. For this, it relies notably on the capture of network packets and the collection of NetFlow logs.

Supervise and investigate

RSA NetWitness Logs and Capture has several components dedicated to various operations, including a decoder, a hub and a broker. The first is responsible for the real-time collection of network data. It also ensures the normalization, as well as the reconstruction of the sessions. It can also collect streams and data from endpoints.

The concentrator collects the information generated by the decoders and provides the mechanisms necessary for the management of distributed decoders. A hybrid decoder / hub system is available for small branch supervision.

The broker supports analytic services by allowing the federation of requests through the distributed platform. It allows administrators to work from a single device to collect information across the entire infrastructure.

The suite also includes an archive system for long-term storage and compression of log data, as well as a virtual log collector that connects to remote sites.
Behavioral analysis

One of the key features of the RSA NetWitness suite is its behavioral analysis engine. Shortly after the announcement of this sequel, the publisher added real-time behavior analysis capabilities to its platform. This component uses machine learning, or machine learning , to detect abnormal activity and behavior for both users and hosts in the infrastructure.

According to RSA, this analytic engine is particularly designed to detect lateral movements of attackers.
Data enrichment

In addition to collecting data, the RSA NetWitness platform provides enrichment and event flow analysis. This includes adding markers to highlight threat indicators, or any other relevant feature to speed up analysts' work and free them from some of the low-level analysis. This type of analysis serves as a foundation for building real-time alert generation mechanisms. And RSA NetWitness includes tools for sorting large volumes of data and prioritizing the response.

The Event Flow Analysis Module (ESA) is an analytical engine designed to correlate data from different events. It can use log metadata, NetFlow, packages and other sources. What's more, companies can create specific rules for collecting and processing data.

RSA NetWitness Logs and Packets has been designed as a distributed tool that can operate across large networks and complex topologies. The analytical modules can perform real-time and post-mortem analyzes. Integration with RSA Security Operations Center is useful for consolidating and coordinating the supervision and response around this platform.

It is aimed at companies with specialized security teams that can take full advantage of the platform's capabilities. Smaller organizations may prefer alternative offers.