RSA Security Analytics is an enterprise security information and event management (SIEM) product.
SIEM products have been since mid 1990’s and are a key element of security’s monitoring team. The purpose of a SIEM is to gather , analyze and report security log data. That is to provide a single interface where data can be gathered and stored. A tool which analyzes and prioritizes incident across various sources as security tools create vast no of entries, so it is essential to prioritize data.
RSA Security Analytics reviews the security log entries foe any suspicious activity and then reports the signs to administrators. It can be thought of an advanced SOC solution which –
- Increases our incident detection and investigation capabilities.
- Provides complete visibility by combining logs with network.
- Detects and analyzes most advances attacks before they can impact the business.
All together it provides better visibility, analysis and workflow. Better visibility in way that we can see everything what is happening in our environment not just who has logged on. In this way we can monitor and check for any suspicious activity. Also it allows us to store variety of data including basic archiving to long term storage at a lost cost.
It provides correlation across network and endpoints with help of its event stream analysis where it correlates data across the network so that not only potential threats but most advanced threats can be found. As nowadays advanced attacks mostly found across the network making it difficult to notice them in a sea of data as such huge data needs more time and deep analysis. This means that we can not only detect obvious attacks like password guessing or brute-force attack but also can detect threats like suspicious file being downloaded or beaconing.
RSA Security Analytics provides a platform to investigate every minute detail of alerts and incidents. In addition to it, it has an interface where we can monitor alerts, incidents, and devices at a glance which is essential for security investigations. As security analytics has access to endpoint and packet data as well as Netflow and log data. We can rapidly investigate in depth to understand what is happening and what needs to be done.
Key architectural components are:
Decoder: It captures and reconstructs data/network traffic from various devices
Concentrator: It indexes data extracted from network and makes it available for querying and real time analysis which helps in reporting and alerting.
Analytic server/broker: It makes the web server available for reporting, investigation and other aspects, it also bridges the multiple real time data from various decoders/concentrators throughout the infrastructure.
Event stream analysis engine: It processes large volume of event data and applies correlation to the events flowing the network.
Archiver: It indexes and compresses data for the archiving storage. It is then made available for long time retention by various techniques like compression and compliance reporting.
Warehouse: It is Hadoop based distribution computer system which collects, manages and makes long term security data stored to be available for analysis. The warehouse can be made of 3 or more nodes depending on the requirements.
RSA Security Analytics enables security monitoring, incident monitoring and investigation malware analytics and compliance reporting with the help of single interface which can be navigated through and forth. It allows security analysts to properly keep an eye on the activities, assets, alerts etc. its key features are as follows:
- Monitoring and analytics:
- Provides a single platform for capturing, storing and analyzing security data, network logs or other data.
- Integration with RSA Security Operations Management for incident remediation.
- Automatically generates alerts to suspicious behavior which is delivered using RSA Live.
- Provides better visibility to analyst so that they can make in depth investigation of the security incidents, alerts and the issues regarding the assets.
- It also provides compliance reporting.
- Incident investigation:
- Accelerates securities investigation by enabling the analyst to navigate through terabytes of any type of data whether it may be network logs or event logs.
- Provides an interface that enables us to make investigation in all aspects.
- Unified browser based dashboard:
- HTML5 based user interface which allows customable analysis of data.
- It increases our efficiency by providing monitoring, detection, investigation and administration in a single interface.
- We can also customize the dashboard and make changes on its view as per our demand and needs.
- Real time collection and investigation:
- It has a distributed collection infrastructure which allows simultaneous log packet and network packet to be captured.
- Its Event stream analysis engine provides advanced type of analysis like complex data processing and correlating it at high throughputs.
- It also has distributed data management which makes real- time analysis, log monitoring, reporting, investigations at an ease.
- Long time storage and forensic analysis:
- The archiver engine allows the long time storage of the data which can later on be used for compliance reporting.
- It has a distributed warehouse which allows us analysis and reporting on security data which includes log data as well as network logs or packets.
- It also allows us to have more than 3 nodes as per our requirement needs.
- It is flexible enough that we can modify it as per security-related requirements.