RSA Security Analytics is the next generation SIEM from RSA after envision. RSA Security analytics is now a challenger in the Gartner’s Magic Quadrant for SIEM behind HP ArcSight, Splunk and IBM QRadar the market leaders.
With RSA Security Analytics we can monitor and capture logs as well as packets. With packet capture, we can completely reconstruct network sessions. We can perform real-time monitoring, alerting, forensic investigation, analytics, incident management and big data management under one centralized view. RSA Security Analytics provides an online and an offline view of data as per the storage. Integration with RSA Archer takes incident management to another level. With Event Stream Analysis the alerts are triggered as incidents. The task of assigning, follow-up, tracking, resolving and closing the incidents can be done in RSA Archer. This removes the age old method of adding and closing incidents manually for Capacity RSA Security Analytics there are DACs (Direct Attached Capacity) or SANs (Storage Area Networks) which are connected to the appliances for online and offline data storage.
Below are some important components of RSA Security Analytics and working
Decoder – Logs and packets are fed into the decoder. This could be done directly or through the Virtual Log Collectors(VLC). The main function of the Decoder is to real-time collect, filter and parse all the traffic or log from hundreds of devices. The parsed logs are then forwarded to the Concentrator and another stream is directly sent to the Security Analytics warehouse where the raw logs are stored for the purpose of long-term retention.
Concentrator – It is the appliance responsible for indexing and aggregating metadata in RSA Security Analytics. With RSA Security Analytics the metadata has come in where it very easier to read and understand the log. With the concentrator meta, the real-time analysis gets quite simple and it is useful for alerting and creating reports.
Event Stream Analysis (ESA)
With Security Analytics, we have a separate appliance that is ESA. The ESA has a vital function of alerting and correlation. ESA is capable of processing a large volume of data. ESA is responsible for correlating across logs, packets and endpoints. With ESA complex querying and correlation with better throughput at a faster pace is possible.
Security Analytics Server (SA) – The Security Analytics server is the user interface. It provides the main front end to all the processes. With the SA server investigation, alerting, reporting, incident management and administration is done. It is also responsible for the role based access control and authentication.
Warehouse (SAW) – The security analytics warehouse is of Hadoop Architecture. The Warehouse is responsible for log retention. A stream of data directly flows from the Log/Packet decoder to the SAW through the log/packet warehouse connector. The SAW collects, manages and enables reporting on the data being stored. The SAW consists of 3 or more self-replicating nodes. A customer with Security Analytics setup can have a SAW or Archiver for log retention. With archiver, the stored logs can be compressed before storing.
Malware Analysis – Malware Analysis can also be done with Security Analytics. There are namely four techniques of malware analysis sandboxing, community intelligence, file content and network behavior analysis. There is separate licensing cost involved for Malware analysis. It has inbuilt antivirus signature repository which gets updated through the Live Feed.
External Threat Intelligence – RSA also has its own team RSAFirstWatch for external threat intelligence which keeps publishing new correlation rules, feeds, parsers, advanced threats for the customers on RSA Live.
Advantages of RSA Security Analytics
- Big Data analytics
- Hadoop Architecture
- Large Enterprise use cases
- External Threat Intelligence (RSA First Watch)
- Malware Analysis
- Packet Capture Capabilities