Professional Documents
Culture Documents
ARCHITECTURE
Solution Brief
SUMMARY
New security threats demand a new approach to security management. Security teams
need a security analytics architecture that can handle a much greater volume and wider
scope of data than at present, not to mention provide them with tools to lead them
quickly to the most pressing issues. They need threat intelligence about the latest tools,
techniques, and procedures in use by the attacker community, and the ability to track
and manage the responses initiated as a result of the issues they identify.
Criminals
Nation State
Actors
Non-state
Actors
Petty criminals
Organized crime
Unsophisticated
Organized, sophisticated
supply chains (PII,
financial services, retail)
Terrorists
PII, government,
critical
infrastructure
Anti-establishment
vigilantes
Hacktivists, targets
of opportunity
page 2
However, in todays landscape, new requirements need to be taken into account. Attacks
now come not just from vandals or amateurs, but from sophisticated, criminal enterprises
and even nation states. These attackers deploy advanced techniques such as covering
their tracks in log files and minimizing the number of auditable events. As such,
traditional SIEM proves insufficient. This requires organizations to take a more advanced
approach to countering these threats.
Page 3
To this end, experienced security practitioners are asking RSA to help them:
Collect everything thats happening in my infrastructure. Previous approaches to
security have depended on using information about known threats to make decisions
about which data to collect about what is happening within the environment. With more
agile, advanced threats, making those assumptions ahead of time makes it is likely that
when the threat arises, the security teams wont have all the information needed to
respond properly. This means that in todays environment, security teams want to collect
everything about what is going on.
Help me to identify key targets and threats. In a large, complex IT infrastructure, it is
difficult to keep track of what each system does and the ways in which it might be
attacked. Security teams need a way to interface with the business to identify the most
critical information, business processes, and supporting assets, to best assess the
threats the organization faces.
Enable me to investigate and prioritize incidents. Also in a large, complex IT
infrastructure, there are often so many issues to deal with that security teams need
more guidance around identifying the most pressing issues, and which ones could have
the highest impact to the business. This means having more information about the
business context of incidents and the criticality of systems and processes they affect.
Enable me to manage those incidents. Responding to incidents can be a tricky affair
from assessing the damage, to communication, to remediation and cleanup requiring
the coordination of resources across a wide range of teams, both within IT and across
the business. Security teams need a way to kickoff and coordinate these activities to
minimize the adverse impact on the business.
page 4
A unified approach to security analytics. RSA aims to provide a common set of tools for
analyzing security data, to support the major analytic activities, from alerting and
reporting to malware analytics.
A governance layer that binds security analytics to the business. RSAs unique portfolio
helps customers streamline the process of gathering information from the business
about critical business processes and systems, and the business requirements for
securing them.
Threat Intelligence that empowers customers with up-to-date knowledge. RSA
distributes current, actionable intelligence about the threat environment to the
products, allowing organizations to relate the intelligence specifically to their
environments.
The RSA approach provides customers with:
Comprehensive visibility. RSAs portfolio allows unparalleled visibility into what is
happening within the infrastructure.
Infrastructure to support collection without limitations: the ability to collect many types
of security data, at scale and from many types of data sources
Unified visibility into network and log data: single place to view data about advanced
threats and user activity from data gathered directly from the network or from key
systems
Agile analytics. RSA provides tools that make detailed information available to
investigators in the simplest way possible.
Platform for performing rapid investigations: intuitive tools for investigation presented
for rapid analysis, with detailed drill down and incorporation of business context to
better inform the decision making process
Session replay and signature free analytics: tools to hone in on the most suspicious
users and end points connected to your infrastructure and the tell-tale signs of
malicious activity. Also provides the ability to recreate and replay exactly what
happened
Actionable Intelligence. Threat intelligence provided by RSA helps security analysts get
the most value from RSA products by incorporating feeds of current threat information.
Current threat intelligence correlated with collected data: proprietary intelligence from a
community of security experts, built into our tools and leveraged through rules, reports,
and watch lists to gain insight into threats from data collected from the enterprise
Prioritized actions based upon business context: incorporation of information from the
business showing the relationship between the systems involved and the business
functions they support
Optimized process management. RSA products help security teams streamline the
diverse set of activities related to preparedness and response.
Technology and services for full security and compliance lifecycle: a workflow system to
define and activate response processes, plus tools to track current open issues, trends,
and lessons learned. Also provide industry-leading services to help prepare, detect, and
respond to incidents
Integrated into a security and compliance management system: integration with the
RSA portfolio and third-party tools to exchange information with the wide range of tools
needed to identify and handle incidents and streaming compliance management
page 5
About RSA
RSA, The Security Division of EMC, is
the premier provider of security, risk
and compliance management
solutions for business acceleration.
RSA helps the worlds leading
organizations solve their most
complex and sensitive security
challenges. These challenges include
managing organizational risk,
safeguarding mobile access and
collaboration, proving compliance,
and securing virtual and cloud
environments.
RSA NetWitness Live research team tracks over five million IPs and domains and
hundreds of unique threat feed sources
RSA updates and dynamically distributes its threat content library every hour through
RSA NetWitness Live
RSA addresses the people, process, and technology challenges of security and compliance
RSA is a leading provider of services to assist with incident preparedness, plus incident
response and cleanup
RSA has the only solution to support both IT and business aspects of managing security
through its integration with the RSA Archer eGRC platform
RSA has the unified platform to support compliance management, security threat
management, incident management, and business continuity management
EMC2, EMC, the EMC logo, RSA, NetWitness, and the RSA logo are registered trademarks or trademarks of EMC
Corporation in the United States and other countries. All other products or services mentioned are trademarks of their
respective companies. Copyright 2012 EMC Corporation. All rights reserved. Published in the USA.
www.rsa.com