RSA Web Threat Detection - Zift Solutions
RSA Web Threat Detection v5.1 What’s New – GA Target Q2’2015
© Copyright 2015 EMC Corporation. All rights reserved.
1
RSA Web Threat Detection 5.0 Ease of Use
Visibility
• Search enhancements
• Access to Transaction Data
• Analyst Summary Dashboard
• Push/Pull – easy integration into other systems
• Granular Access roles/controls
• Flexible formats • Mobile Application Parsing
• UI Enhancements
Detection
• IE 11 Support • Simplified Upgrades
• Real-time Threat Groups
• Anonymous IP Scoring • Profile History Timeline • Enhanced Rules
© Copyright 2015 EMC Corporation. All rights reserved.
2
Web Threat Detection v5.1 Main Themes Visibility
Internationalization
© Copyright 2015 EMC Corporation. All rights reserved.
Detection
Ease of Use
Rule Editor User Tracking SA Integration
Audit Logging Access Controls
3
Internationalization (i18N) Support UTF-8 non-English characters support
• Increased visibility for non-English UTF-8 complaint web traffic • Accented characters, bi-directional and other character sets • Holistic view of web traffic from different lang. web application – – – –
User & Page Analysis Rule Builder Search Clickstream
• Enable rule writing across websites pages *Note: The Web Threat Detection UI is not localized © Copyright 2015 EMC Corporation. All rights reserved.
4
Internationalization (i18N) Support (cont.) • Rule Editor • User Analysis
© Copyright 2015 EMC Corporation. All rights reserved.
5
Internationalization (i18N) Support (cont.) • Web Pages Analysis • Search (Queries and results)
© Copyright 2015 EMC Corporation. All rights reserved.
6
Internationalization (i18N) Support (cont.) • Clickstream Analysis – StreamView – Transaction Viewer
© Copyright 2015 EMC Corporation. All rights reserved.
7
Internationalization (i18N) Support (cont.) Use Cases
• IPs and pages bouncing between websites can be captured https://www.domain.com/en-US/onlinebanking/login.php https://www.domain.com/ES/onlinebanking/AddPayee.php https://www.domain.com/en-US/onlinebanking/ACHpayment.php
– EN pages are monitored while ES are not – Login > ACHpayment – Legitimate process – Login > AddPayee > ACHpayment – Higher risk for a payment transaction to a zero day age payee within the same session
© Copyright 2015 EMC Corporation. All rights reserved.
8
Rule Editor Enhancements Rule Builder
• Adapt faster and easier against advanced threats • Enable easier rule writing capabilities leveraging extensive and powerful rule syntax (for both real-time and hourly rule engine) • Remove the need for navigation between Rules/Forensics/Configuration UI to find attributes, keys, page names Attributes Keys Scores IPs Registers User Registers Parameters Pages … © Copyright 2015 EMC Corporation. All rights reserved.
9
Rule Editor Enhancements (cont.) Rule Builder
© Copyright 2015 EMC Corporation. All rights reserved.
•
New rules contextual sidebar enable entry of elements to Trigger Condition rule
•
Expanding elements reveal available functions to use in a rule
•
Shortlist filtering for easier and efficient navigation
•
Direct access to all pages via “Apply to URL”
10
User Tracking Identifying user across application is a complex mission
• Advanced user tracking capabilities for complex web apps closely matching website’s user monitoring needs • Flexibility for identifying and tracking user based web sessions
• Increased flexibility in leveraging complex, derived attributes • Per domain user tracking via multiple methods
v5.0
user = loginID;org © Copyright 2015 EMC Corporation. All rights reserved.
v5.1
user = loginID;org;page;domain;… 11
User Tracking (cont.) Use Cases
• Large Financial Institution have multiple web application to monitor • Single user, multiple userNames, different applications Application Name
User Identification
application1.com
JohnDow119379
application2.com
JdowABCbank
application3.com
[email protected]
v5.1
– Multiple domains / web + mobile session tracking – 119379 being the account number and ABC Bank the company name © Copyright 2015 EMC Corporation. All rights reserved.
12
Incident Management Integration • Centralized management of both internal network incidents and external applications security incidents • Greater visibility of Org’s incident and risk state leveraging integration with RSA Security Analytics Incident Management (SAIM)
• Better operationalize WTD incidents alongside other SOC/NOC incidents (according to biz priority) • Instantly pivot to relevant session’s clickstream within WTD Web Threat Detection Decrypt session Scoring Analytics EDS Engine traffic © Copyright 2015 EMC Corporation. All rights reserved.
Rule Engine
Incident Mgmt.
Action Server 14
Incident Management Integration Web Threat Detection Decrypt session Scoring Analytics EDS Engine traffic
Rule Engine
Incident Mgmt.
Action Server
Security Analytics Incident Management
JSON
Visibility to IP, User, and Page details, Clickstream * In order to use SA IM an ESA appliance is needed © Copyright 2015 EMC Corporation. All rights reserved.
15
Incident Management Integration (cont.) Web Threat Detection Decrypt session Scoring Analytics Engine traffic
EDS
Rule Engine
Incident Mgmt.
RESTful API
Action Server
JSON
© Copyright 2015 EMC Corporation. All rights reserved.
16
Incident Management Integration (cont.) Quickly navigate to Web Threat Detection relevant session
© Copyright 2015 EMC Corporation. All rights reserved.
17
Audit Logging • Expanded compliance with additional audit log capabilities as user management changes are now tracked • Automate logs parsing into 3rd party SIEM systems for further monitoring Rule Management audit logs
v5.0
© Copyright 2015 EMC Corporation. All rights reserved.
v5.1
User Management audit logs • Add • Delete • Update
18
Access Controls Enhancements • Enable WTD users a self-service password management to achieve increased security controls • Users can now change their own passwords without administrator’s intervention
Admin issues an account username & Password
© Copyright 2015 EMC Corporation. All rights reserved.
User use self-service Pwd management to update password 20
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.
© Copyright 2015 EMC Corporation. All rights reserved.
1
RSA Web Threat Detection 5.0 Ease of Use
Visibility
• Search enhancements
• Access to Transaction Data
• Analyst Summary Dashboard
• Push/Pull – easy integration into other systems
• Granular Access roles/controls
• Flexible formats • Mobile Application Parsing
• UI Enhancements
Detection
• IE 11 Support • Simplified Upgrades
• Real-time Threat Groups
• Anonymous IP Scoring • Profile History Timeline • Enhanced Rules
© Copyright 2015 EMC Corporation. All rights reserved.
2
Web Threat Detection v5.1 Main Themes Visibility
Internationalization
© Copyright 2015 EMC Corporation. All rights reserved.
Detection
Ease of Use
Rule Editor User Tracking SA Integration
Audit Logging Access Controls
3
Internationalization (i18N) Support UTF-8 non-English characters support
• Increased visibility for non-English UTF-8 complaint web traffic • Accented characters, bi-directional and other character sets • Holistic view of web traffic from different lang. web application – – – –
User & Page Analysis Rule Builder Search Clickstream
• Enable rule writing across websites pages *Note: The Web Threat Detection UI is not localized © Copyright 2015 EMC Corporation. All rights reserved.
4
Internationalization (i18N) Support (cont.) • Rule Editor • User Analysis
© Copyright 2015 EMC Corporation. All rights reserved.
5
Internationalization (i18N) Support (cont.) • Web Pages Analysis • Search (Queries and results)
© Copyright 2015 EMC Corporation. All rights reserved.
6
Internationalization (i18N) Support (cont.) • Clickstream Analysis – StreamView – Transaction Viewer
© Copyright 2015 EMC Corporation. All rights reserved.
7
Internationalization (i18N) Support (cont.) Use Cases
• IPs and pages bouncing between websites can be captured https://www.domain.com/en-US/onlinebanking/login.php https://www.domain.com/ES/onlinebanking/AddPayee.php https://www.domain.com/en-US/onlinebanking/ACHpayment.php
– EN pages are monitored while ES are not – Login > ACHpayment – Legitimate process – Login > AddPayee > ACHpayment – Higher risk for a payment transaction to a zero day age payee within the same session
© Copyright 2015 EMC Corporation. All rights reserved.
8
Rule Editor Enhancements Rule Builder
• Adapt faster and easier against advanced threats • Enable easier rule writing capabilities leveraging extensive and powerful rule syntax (for both real-time and hourly rule engine) • Remove the need for navigation between Rules/Forensics/Configuration UI to find attributes, keys, page names Attributes Keys Scores IPs Registers User Registers Parameters Pages … © Copyright 2015 EMC Corporation. All rights reserved.
9
Rule Editor Enhancements (cont.) Rule Builder
© Copyright 2015 EMC Corporation. All rights reserved.
•
New rules contextual sidebar enable entry of elements to Trigger Condition rule
•
Expanding elements reveal available functions to use in a rule
•
Shortlist filtering for easier and efficient navigation
•
Direct access to all pages via “Apply to URL”
10
User Tracking Identifying user across application is a complex mission
• Advanced user tracking capabilities for complex web apps closely matching website’s user monitoring needs • Flexibility for identifying and tracking user based web sessions
• Increased flexibility in leveraging complex, derived attributes • Per domain user tracking via multiple methods
v5.0
user = loginID;org © Copyright 2015 EMC Corporation. All rights reserved.
v5.1
user = loginID;org;page;domain;… 11
User Tracking (cont.) Use Cases
• Large Financial Institution have multiple web application to monitor • Single user, multiple userNames, different applications Application Name
User Identification
application1.com
JohnDow119379
application2.com
JdowABCbank
application3.com
[email protected]
v5.1
– Multiple domains / web + mobile session tracking – 119379 being the account number and ABC Bank the company name © Copyright 2015 EMC Corporation. All rights reserved.
12
Incident Management Integration • Centralized management of both internal network incidents and external applications security incidents • Greater visibility of Org’s incident and risk state leveraging integration with RSA Security Analytics Incident Management (SAIM)
• Better operationalize WTD incidents alongside other SOC/NOC incidents (according to biz priority) • Instantly pivot to relevant session’s clickstream within WTD Web Threat Detection Decrypt session Scoring Analytics EDS Engine traffic © Copyright 2015 EMC Corporation. All rights reserved.
Rule Engine
Incident Mgmt.
Action Server 14
Incident Management Integration Web Threat Detection Decrypt session Scoring Analytics EDS Engine traffic
Rule Engine
Incident Mgmt.
Action Server
Security Analytics Incident Management
JSON
Visibility to IP, User, and Page details, Clickstream * In order to use SA IM an ESA appliance is needed © Copyright 2015 EMC Corporation. All rights reserved.
15
Incident Management Integration (cont.) Web Threat Detection Decrypt session Scoring Analytics Engine traffic
EDS
Rule Engine
Incident Mgmt.
RESTful API
Action Server
JSON
© Copyright 2015 EMC Corporation. All rights reserved.
16
Incident Management Integration (cont.) Quickly navigate to Web Threat Detection relevant session
© Copyright 2015 EMC Corporation. All rights reserved.
17
Audit Logging • Expanded compliance with additional audit log capabilities as user management changes are now tracked • Automate logs parsing into 3rd party SIEM systems for further monitoring Rule Management audit logs
v5.0
© Copyright 2015 EMC Corporation. All rights reserved.
v5.1
User Management audit logs • Add • Delete • Update
18
Access Controls Enhancements • Enable WTD users a self-service password management to achieve increased security controls • Users can now change their own passwords without administrator’s intervention
Admin issues an account username & Password
© Copyright 2015 EMC Corporation. All rights reserved.
User use self-service Pwd management to update password 20
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.
