In a previous life, I remember spending time at a company's co-location facility where many organizations hosted their production and testing environments. There was a shared workspace, and I remember having quite a few conversations with industry peers about various topics. Not surprisingly, the one topic that came up more frequently than others was security - how were we protecting our environments...what kind of attacks were we seeing...did we know that Bob from WidgetTech was compromised? This fundamental sharing of security practitioner information was absolutely vital for us to hear and understand what was happening at other organizations, determine if we were potentially at risk, and share techniques and tactics with peers on how to combat attackers and threats.
Security practitioners around the world educate and share security information with their peers, cross-industry. For example, a colleague in Israel told me how he and other local CISOs link up on a group chat to share information about threats they're encountering. There are multiple forums and boards where security analysts share threat intel, and many security vendors now publicly publish blogposts about attacks they've thwarted with their incident response teams or research undertaken by their security analysts. Considering that threat actors are rapidly evolving their own techniques, this information sharing of threat and threat actors is a key mechanism for us to adapt our own approaches to protect our organizations. However, ultimately, the biggest dilemma then becomes how to actually process and prioritize all this intelligence into something business-relevant that is actionable for a security analyst, who struggles already with too much information and alerts.
Fortunately, here at RSA, we have an answer. We call it RSA Live Connect. RSA Live Connect is a community-based and cloud-hosted threat intelligence sharing platform that first crowdsources threat data and then centrally collects, analyzes, and redistributes this data back to the community - practically in real-time. The goal here is to help our community leverage the vast knowledge, observations, and experiences of their peers to aid in better identifying and more rapidly responding to those new and never-seen-before threats that are bypassing signature-based security and specifically targeting organizations around the world.
RSA is pleased to announce that RSA NetWitness Endpoint 4.2 now offers support for RSA Live Connect. The RSA Live Connect service for RSA NetWitness Endpoint allows subscribers to augment their threat detection and analysis with community information aggregated from the vast RSA customer community. They gain immediate access to vital data such as statistics on hash reputation within the community; dates and times when a threat was first seen; and proportions of decisions made by security analysts across the community. Furthermore, participants can rest assured knowing that no customer-identifiable information is shared within the service, and all data at-rest are stored in encrypted form, and all connections are secured through SSL.
Additionally, RSA NetWitness Endpoint 4.2 now extends agent support to Linux assets. With our latest release, we are introducing support for two of the most popular Linux distributions used in enterprise and business deployments - Red Hat Enterprise Linux and CentOS. Furthermore, the RSA NetWitness Endpoint Linux Agent comes complete with a fully realized set of capabilities that provide immediate business value to organizations - including 35+ brand-new behavioral queries out of the box that pinpoint Linux-specific behaviors that are anomalous and potentially malicious; Linux File Reputation Services (aka whitelisting); community blacklisting; and extended support for Yara rules.
Behavioral-based monitoring from RSA NetWitness Endpoint is especially important for Linux endpoints due to the fact that Linux malware is more commonly a malicious payload that is downloaded and lives in memory. Signatures won't catch that, but behavior-based detection augmented by community-sourced threat intelligence will ensure that organizations can take the right actions to eradicate the threats.
Now, looking back, I can't help but think that if Bob from WidgetTech had RSA NetWitness Endpoint running in his Linux production environment he would have saved himself a ton of pain and heartache.
RSA NetWitness Endpoint 4.2, with support for Linux and RSA Live Connect, is available now!
Author: David D'Aprile
Category: Archive, Threat Detection and Response
Keywords: Edr, Endpoint, Endpoint Security, ETDR, Incident Response, Intelligence-Driven Security, Live Connect, Malware, NetWitness Endpoint, Security Analytics, Threat Intelligence