This Ask the Expert session will be covering the just announced the release of RSA Security Analytics 10.4 and RSA ECAT 4.0. These releases mark significant milestones for both products and include many powerful new features that will go a long way to helping SOCs go from the hunted to the hunter. Some highlights of the releases include:
The highlights mentioned above are just the tip of the iceberg. There are too many new features to list them all! Fortunately Brian Dunphy, the head of RSA’s Advanced SOC product management group, is here to answer any questions you might have about RSA Security Analytics 10.4 and RSA ECAT 4.0.
Brian Dunphy is the Senior Director of Product Management for Security Analytics at RSA where he leverages his experience with security monitoring and analytics, incident response, crisis management and security operations. Prior to his current role Brian spent a decade at Symantec in their MSS group, focusing on delivering security services to global Fortune 500 companies, and eventually becoming the Senior Director of MSS Product Management.
Brian graduated from Carnegie Mellon University with a Bachelors Degree in Computer Engineering followed by a four-year stint as an Incident Response Lead at DISA while serving in the United States Air Force.
This discussion takes place September 15 - 26. Get ready by following this page to receive updates in your activity stream or through email.
Share this event on Twitter:
This discussion is now open for questions. We very much look forward to an interactive and informative discussion.
There are quite a few new features and we're really proud of this release. Some of the major categories of new features are:
· Complete Visibility. SA 10.4 expands our visibility story by expanding from logs and packets to endpoint and NetFlow visibility. For endpoint visibility, RSA ECAT extends our insight into high risk processes and file visibility, while NetFlow provides visibility into internal traffic and lateral movement.
· Rapid Investigations. We have added a seris of enhancements for analysts, to include improved performance and advanced abilities to query and search. The SA 10.4 capabilities provide security analysts the ability to hone in on issues with precision and speed.
· SIEM & Beyond Analytics. Unlike other SIEMs, Security Analytics can detect events not only using logs, but with meta from Packets and ECAT alerts. In SA 10.4 we also enable the RSA Analytics Warehouse to deliver packaged data science based analytics to detect “under the radar” attacks.
· Prioritized Incident Management. We now have the capability to prioritize alerts, enabling analysts to natively perform incident management in RSA Security Analytics and combine alerts across logs, endpoints, packets and malware data into incidents.. Security teams can drive actions such assigning incidents, triggering investigations, and comment in an analyst journal. This new capability also integrates with SecOps for Archer for enhanced workflow, pre-defined incident response procedures, breach management and additional investigative context.
· Scalable and Modular Platform. We offer SIEM, Network Forensics, and Endpoint Detection in modules to provide customers a platform that they can build on as their security program matures. Deploy the entire solution, or just the modules you need right now.
I heard that in 10.4 we will be able to do static device typing (i.e. lock an IP address to a specific device type like Cisco Router). Where and how will this be accomplished?
We've seen a lot of issues around reports not running when using a time frame of more then 30 minutes to an hour. They give us 500 internal server errors, will this be resolved in 10.4?
Does 10.4 have the ability to show in the UI the parser xml file so that we can determine what messages SA knows about without having to look at the file through an SSH or WinSCP sessions? Along with this, is there a place in the GUI that we can map the eventid that we find in the parser xml file to the event category name that is used within the UI for meta without having to use SSH or WinSCP to manually pull the ecat file and find it?
Does 10.4 have the ability to do device grouping? When writing an alert in ESA, if we want to only know if core switches have high alerts, we currently have to put all 20+ IP's manually into the ESA logic (and do this for each alert), being able to group devices easily by function/location would be a huge time-saver.